An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
Answer : D
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram
a. In which section is this configured?
Answer : D
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?
Answer : C
An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)
Answer : C, D
Which method will dynamically register tags on the Palo Alto Networks NGFW?
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Answer : A
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?
Answer : A
What type of NAT is required to configure transparent proxy?
Answer : D
Which Panorama feature protects logs against data loss if a Panorama server fails?
Answer : B
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group
'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
Answer : A, D
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
Which operation will impact the performance of the management plane?
Answer : B
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
Which new PAN-OS 11.0 feature supports IPv6 traffic?
Answer : A
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
Answer : D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
What is the best definition of the Heartbeat Interval?
Answer : C
The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK
'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
Answer : D
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.
D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:
The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
Answer : D
URL profile action alert.
File Profile action alert.
AV and Wildfire action Reset-both
Policy Action Allow.
The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : C
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.
Answer : A
To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a 'master device' must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.
Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama's User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.
Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?
Answer : B
Which new PAN-OS 11.0 feature supports IPv6 traffic?
Answer : A
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
Answer : B
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?
Answer : B
The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.
Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
Answer : C
In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.
C . Place a more specific NAT rule above the broader one:
Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.
Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.
Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.
This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.
Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : D
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?
Answer : C
Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.
Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?
Answer : B
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
Answer : D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)
Answer : A, B
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.
The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
Answer : C
Review the screenshots.
What is the most likely reason for this decryption error log?
Answer : D
A company wants to use GlobalProtect as its remote access VPN solution.
Which GlobalProtect features require a Gateway license?
Answer : C
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
Answer : D
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?
Answer : A
What happens when the log forwarding built-in action with tagging is used?
Answer : A
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.
A . Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.
Which three sessions are created by a NGFW for web proxy? (Choose three.)
Answer : A, B, C
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
Answer : B, D
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.
However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
Answer : B
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
Answer : A
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?
Answer : C
A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?
Answer : D
Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.
Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.
What type of NAT is required to configure transparent proxy?
Answer : D
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
Answer : A, C, D
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
Answer : D
URL profile action alert.
File Profile action alert.
AV and Wildfire action Reset-both
Policy Action Allow.
The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?
Answer : A
The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.
Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.
An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.
What configuration change is necessary to implement this troubleshooting solution for the user?
Answer : C
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
Refer to the exhibit.
Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
Answer : D
In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.
The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.
PBF can address which two scenarios? (Choose two.)
Answer : A, B
Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:
A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.
B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.
PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.
An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)
Answer : B, D
Palo Alto firewalls can gather User-ID mappings from proxies via Syslog (Option B), parsing log messages with user-IP data, and XFF Headers (Option D), extracting user info from HTTP headers (X-Forwarded-For) if the proxy supports it.
Option A (Client Probing) queries clients, not proxies. Option C (Server Monitoring) targets servers like AD, not proxies. Documentation lists these methods for proxy integration.
While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.
How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?
Answer : A
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
An administrator has been tasked with configuring decryption policies,
Which decryption best practice should they consider?
Answer : A
The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
Answer : C
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
Answer : A
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
Which two statements correctly describe Session 380280? (Choose two.)
Answer : A, C
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)
Answer : B, D, E
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content
Review the screenshots.
What is the most likely reason for this decryption error log?
Answer : D
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
Answer : C
A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects
Which type of role-based access is most appropriate for this project?
Answer : C
Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
Which Panorama feature protects logs against data loss if a Panorama server fails?
Answer : B
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group
'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.
An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User
Answer : D
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
Answer : C
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
Refer to the exhibit.
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?
Answer : B
Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
Answer : D
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
Answer : B
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
Answer : B, D
The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)
Which link is responsible for synchronizing sessions between high availability (HA) peers?
Answer : D
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Answer : D, D
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
Answer : A, D
For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.
For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
Answer : B
Set the Action to take when matching a packet:
Forward---Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.
Discard---Drops the packet.
No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c
If a URL is in multiple custom URL categories with different actions, which action will take priority?
Answer : C
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
1 block
2 override
3 continue
4 alert
5 allow
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Which Panorama feature protects logs against data loss if a Panorama server fails?
Answer : B
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group
'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
Answer : D
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.
D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:
The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.
Which statement regarding HA timer settings is true?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
Which source is the most reliable for collecting User-ID user mapping?
Answer : D
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.
Where can the firewall engineer define the data to be added into each forwarded log?
Answer : A
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format
Step-by-Step
Understanding Log Forwarding in PAN-OS:
Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.
Traffic logs can be customized to include additional information that meets the audit or operational requirements.
Syslog Server Profiles:
Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.
These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).
Custom Log Format:
Navigate to Device > Server Profiles > Syslog.
Within the Syslog Server Profile, define a Custom Log Format for traffic logs.
Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.
Field Specification:
In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.
Example:
$receive_time,$src,$dst,$app,$action,$rule
The engineer can include specific details as requested by the audit team.
Comparison of Other Options:
Option B: Built-in Actions within Objects > Log Forwarding Profile
Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.
Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.
Option C: Logging and Reporting Settings within Device > Setup > Management
These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.
Option D: Data Patterns within Objects > Custom Objects
Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.
Why A is Correct?
The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.
This flexibility allows the firewall engineer to meet specific compliance or audit requirements.
Documentation Reference:
PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.
PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.
Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : D
An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.
Which option should the administrator use?
Answer : A
If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
What happens when the log forwarding built-in action with tagging is used?
Answer : A
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.
A . Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
Based on the image, what caused the commit warning?
Answer : D
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?
Answer : D
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
Answer : A
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?
Answer : C
If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites.The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall.Reference:SSL Decryption Exclusion,Troubleshoot Unsupported Cipher Suites
An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.
What are the default values for ping interval and ping count before a failover is triggered?
Answer : C
Ping Interval---Specify the interval between pings that are sent to the destination IP address (range is 200 to 60,000ms; default is 200ms).
Ping Count---Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?
Answer : A
The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.
Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration?
Answer : A
Which link is responsible for synchronizing sessions between high availability (HA) peers?
Answer : D
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : B, D
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)
Answer : B, C, D
An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.
Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)
Answer : B, C
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
Answer : D
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
Answer : A, D
For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.
For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.
Which two statements correctly describe Session 380280? (Choose two.)
Answer : A, C
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Answer : B
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Answer : D, D
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
Answer : A, B
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)
Answer : A, B
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?
Answer : A
The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.
Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.
An administrator plans to install the Windows User-ID agent on a domain member system.
What is a best practice for choosing where to install the User-ID agent?
Answer : C
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter.
What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : B
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
Answer : B
Set the Action to take when matching a packet:
Forward---Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.
Discard---Drops the packet.
No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c
An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.
Which option should the administrator use?
Answer : A
If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
Answer : A, B, D
A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)
Answer : C, D
To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.
Option A (Threat Prevention) lacks DNS-specific features for this use case. Option B (Vulnerability Protection) doesn't include DNS misconfiguration settings. Documentation confirms Anti-Spyware with DNS Security for this purpose.
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Answer : C
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
Which translated port number should be used when configuring a NAT rule for transparent proxy?
Answer : C
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
Answer : D
Which two actions can the administrative role called "vsysadmin" perform? (Choose two)
Answer : B, C
The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.
Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
Answer : C
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
Answer : C
To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.
To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.
This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?
Answer : A
For a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain, the most effective method is to use an Authentication policy targeting users not yet identified by the system.
A . an Authentication policy with 'unknown' selected in the Source User field:
An Authentication policy allows the firewall to challenge unidentified users for credentials. By selecting 'unknown' in the Source User field, the policy targets users who have not yet been identified by the firewall, which would include users on new BYOD devices not joined to the domain.
Once the user provides valid credentials, the firewall can authenticate the user and map their identity to subsequent sessions, enabling the application of user-based policy rules and monitoring.
This approach ensures that new and unknown devices can be properly authenticated and identified without compromising security or requiring the device to be part of the corporate domain.
A company has recently migrated their branch office's PA-220S to a centralized Panoram
a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
Answer : A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?
Answer : A
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
Answer : A
Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)
Answer : B, D
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
Answer : A, B
PBF can address which two scenarios? (Choose two.)
Answer : A, B
Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:
A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.
B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.
PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.
Which protocol is supported by GlobalProtect Clientless VPN?
Answer : D
Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies
https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html
An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram
Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?
In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)
Answer : A, C
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)
Answer : A, B, C
User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on their usernames, IP addresses, and other attributes1. User-ID information can be collected from various sources, such as:
A: Windows User-ID agent: A software agent that runs on a Windows server and collects user information from Active Directory domain controllers, Exchange servers, or eDirectory servers2.The agent then sends the user information to the firewall or Panorama for user mapping2.
B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the network3.GlobalProtect also collects user information from the endpoints and sends it to the firewall or Panorama for user mapping4.
C: XMLAPI: An application programming interface that allows external systems or scripts to send user information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with third-party systems, such as identity providers, captive portals, or custom applications.
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter.
What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : B
Which CLI command displays the physical media that are connected to ethernet1/8?
Answer : B
The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.
For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?
Answer : C
When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)
Answer : C, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha
These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:
HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
Answer : B
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
Answer : B
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
Answer : D
For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
Answer : A
Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?
Answer : C
The 'No direct access to local network' setting in the GlobalProtect Gateway's Client Settings under Split Tunnel (Option C) prevents local resource access when enabled. Disabling it allows split tunneling to permit local traffic, resolving the issue.
Option A (Network Services) is a mispath. Option B (Satellite) applies to different configs. Option D (Portal App) doesn't control this behavior. Documentation confirms this Gateway setting.
An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)
Answer : C, D
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
Answer : D
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?
Answer : A
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
Answer : D
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.
What does Advanced WildFire do when the link is clicked?
Answer : B
Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.
The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.
Step-by-Step Explanation
Link Clicked and File Download Triggered:
When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.
URL Inspection by WildFire:
The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:
Known malicious indicators.
Suspicious elements like embedded scripts, links, or calls to external resources.
Forwarding the PE File for Analysis:
The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.
Dynamic and Static Analysis:
Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:
Suspicious code patterns.
Known malicious signatures.
Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).
Dynamic Analysis: The file is executed in a controlled virtual environment to observe:
Behavioral anomalies, like privilege escalation attempts.
Network communication, such as connections to Command and Control (C2) servers.
File system modifications or registry changes indicative of malicious intent.
Threat Verdict:
Based on its findings, WildFire classifies the URL and PE file into one of the following categories:
Benign.
Grayware.
Malware.
Phishing.
Automated Response:
If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:
Blocking access to the webpage.
Quarantining or blocking the downloaded file.
Generating a detailed alert or log entry for administrators.
Signature Update:
WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.
Advanced WildFire Configuration and Behavior
Forwarding File Types:
The WildFire analysis profile must be configured to forward relevant file types. In this case:
PE files are commonly forwarded by default since they are a known vector for malware.
Administrators can define custom forwarding rules based on file type and traffic.
Integration with the Security Profile:
WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).
URL Filtering ensures that the link itself is categorized and blocked if malicious.
WildFire's output informs and updates the threat prevention database dynamically.
Why the Answer is B?
WildFire performs dual analysis:
The linked webpage is checked for malicious scripts or phishing attempts.
The PE file downloaded is analyzed for malware through both static and dynamic methods.
This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.
Document Reference:
PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.
Palo Alto Networks WildFire Admin Guide:
This guide details file forwarding configurations, supported file types, and the global signature distribution process.
PAN-OS Admin Guide:
Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?
Answer : A, C
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?
Answer : D
What must be configured to apply tags automatically based on User-ID logs?
Answer : D
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
Answer : A
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
In the following image from Panorama, why are some values shown in red?
Answer : C
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
Answer : B, C
>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?
Answer : C
Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.
Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.
What should an engineer consider when setting up the DNS proxy for web proxy?
Answer : A
Which translated port number should be used when configuring a NAT rule for a transparent proxy?
Answer : C
A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.
Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.
The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?
Answer : B
When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.
Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.
Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?
Answer : B
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'
Answer : D
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
Answer : B
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
Answer : B, C, D
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
A standalone firewall with local objects and policies needs to be migrated into Panoram
a. What procedure should you use so Panorama is fully managing the firewall?
Answer : C
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)
Answer : A, B, C
During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?
Answer : B
WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.
Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.
An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.
What are the default values for ping interval and ping count before a failover is triggered?
Answer : C
Ping Interval---Specify the interval between pings that are sent to the destination IP address (range is 200 to 60,000ms; default is 200ms).
Ping Count---Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).
What happens when the log forwarding built-in action with tagging is used?
Answer : A
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.
A . Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
Answer : B, D
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
Answer : B, C, D
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
Answer : B
An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."
How should the administrator remediate this issue?
Answer : C
An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.
Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)
Answer : B, C
A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
Answer : A
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
Answer : B
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)
Answer : B, C, D
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections
What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?
Answer : B
Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.
The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)
Answer : A, D
What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?
Answer : B
The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.
Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.
Which two actions can the administrative role called "vsysadmin" perform? (Choose two)
Answer : B, C
The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.
Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.
PBF can address which two scenarios? (Choose two.)
Answer : A, B
Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:
A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.
B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.
PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
Answer : A
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.
Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
Answer : A, B
Which source is the most reliable for collecting User-ID user mapping?
Answer : D
An administrator is building Security rules within a device group to block traffic to and from malicious locations.
How should those rules be configured to ensure that they are evaluated with a high priority?
Answer : A
In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.
For verification, please refer to the Palo Alto Networks 'PAN-OS Administrator's Guide' or the official configuration documentation for Panorama and device group rules.
A company has recently migrated their branch office's PA-220S to a centralized Panoram
a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
Answer : A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Answer : C
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
Answer : B
Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?
Answer : B
In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.
Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.
Why would a traffic log list an application as "not-applicable''?
Answer : A
traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
Answer : B
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
Answer : A
An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:
- Source zone: Outside and source IP address 1.2.2.2
- Destination zone: Outside and destination IP address 2.2.2.1
The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.
Which destination IP address and zone should the engineer use to configure the security policy?
Answer : C
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Answer : D
A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)
Answer : A, B
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
Answer : D
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.
D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:
The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
What is the best definition of the Heartbeat Interval?
Answer : C
The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK
'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK
What are three prerequisites for credential phishing prevention to function? (Choose three.)
Answer : A, D, E
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?
Answer : B
In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.
Which method will dynamically register tags on the Palo Alto Networks NGFW?
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls
Which source is the most reliable for collecting User-ID user mapping?
Answer : D
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
Answer : D
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
What is the best description of the Cluster Synchronization Timeout (min)?
Answer : A
The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)
Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?
Answer : C
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.
What should the engineer do to complete the configuration?
Answer : B
If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
A company wants to add threat prevention to the network without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : A, D
A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing.This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.
A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire.The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.
D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN.The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.
Verified Reference:
1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan
2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html
3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
Answer : A
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
As a best practice, logging at session start should be used in which case?
Answer : A
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
Answer : C
To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.
To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.
This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.
A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?
Answer : A
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
Which statement regarding HA timer settings is true?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : C
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)
Answer : C, D
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Refer to Exhibit:
An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)
B)
C)
D)
Answer : A
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
Answer : A
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)
Answer : B, C, D
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Answer : C
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
Answer : A
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
Answer : D
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
Based on the image, what caused the commit warning?
Answer : D
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Answer : D, D
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
Answer : D
A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?
Answer : A
An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.
What must the administrator consider as they prepare to configure the decryption policy?
Answer : B
A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?
Answer : D
Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?
Answer : D
An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.
Which option should the administrator use?
Answer : A
If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
Answer : B, C
In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)
Answer : A, B
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
Answer : B
A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.
What must occur to have Antivirus signatures update?
Answer : D
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)
Answer : B, C, D
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?
Answer : C
When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the 'Preview Changes' feature.
A . Click Preview Changes under Push Scope:
The 'Preview Changes' option is available under the 'Push Scope' in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.
This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.
This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.
Which Panorama feature protects logs against data loss if a Panorama server fails?
Answer : B
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group
'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.
Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?
Answer : B
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
Answer : D
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
A company has recently migrated their branch office's PA-220S to a centralized Panoram
a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
Answer : A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Answer : B
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs
Which translated port number should be used when configuring a NAT rule for a transparent proxy?
Answer : C
A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.
Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.
What is the purpose of the firewall decryption broker?
Answer : A
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
What happens when the log forwarding built-in action with tagging is used?
Answer : A
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.
A . Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
Answer : D
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
Which log type is supported in the Log Forwarding profile?
Answer : C
The UDP-4501 protocol-port is to between which two GlobalProtect components?
Answer : B
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
Answer : D
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.
D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:
The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.
Which feature can provide NGFWs with User-ID mapping information?
Answer : C
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which new PAN-OS 11.0 feature supports IPv6 traffic?
Answer : A
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
An administrator has been tasked with configuring decryption policies,
Which decryption best practice should they consider?
Answer : A
The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.
Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)
Answer : B, D, E
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content
What is the purpose of the firewall decryption broker?
Answer : A
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?
Answer : C
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
Which tool can gather information about the application patterns when defining a signature for a custom application?
Answer : C
Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.
Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.
View the screenshots
A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?
Answer : B, D
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
Answer : C
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?
Answer : D
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
Answer : D
URL profile action alert.
File Profile action alert.
AV and Wildfire action Reset-both
Policy Action Allow.
The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
What is the best definition of the Heartbeat Interval?
Answer : C
The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK
'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK
Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?
Answer : A
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
Answer : C
A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Answer : B
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?
Answer : B
For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.
Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.
A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?
Answer : D
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
Which rule type controls end user SSL traffic to external websites?
Answer : B
The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.
This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
Answer : B, D, E
To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.
To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.
The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.
The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.
An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.
QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.
A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.
QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
Which type of zone will allow different virtual systems to communicate with each other?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
Which two actions can the administrative role called "vsysadmin" perform? (Choose two)
Answer : B, C
The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.
Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)
Answer : B, C, D
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
Answer : D
An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.
What configuration change is necessary to implement this troubleshooting solution for the user?
Answer : C
Why would a traffic log list an application as "not-applicable''?
Answer : A
traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?
Answer : A
The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.
Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration?
Answer : A
As a best practice, which URL category should you target first for SSL decryption?
Answer : B
Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.
Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
Answer : B, C, D
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
Answer : B
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
Answer : B, D
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
SAML SLO is supported for which two firewall features? (Choose two.)
Answer : A, B
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
Answer : B
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
Answer : A
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.
An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.
Which installer package file should the administrator download from the support site?
Answer : A
Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?
Answer : D
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.
Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
Answer : A, B, C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)
Answer : A, B
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
Answer : D
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Answer : D
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
Answer : A, D
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
Answer : D
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
Answer : A, D
For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.
For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
Answer : C
During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?
Answer : B
WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.
Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
Answer : A, D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK
Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?
Answer : C
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
Which statement regarding HA timer settings is true?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?
Answer : C
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
Answer : A
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.
Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
Answer : A, D
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
Which protocol is supported by Global Protect clientless VPN
Answer : C
A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What must the company do in order to use PAN-OS MFA?
Answer : D
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
A standalone firewall with local objects and policies needs to be migrated into Panoram
a. What procedure should you use so Panorama is fully managing the firewall?
Answer : C
An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.
What must the administrator consider as they prepare to configure the decryption policy?
Answer : B
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
Answer : D
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
Answer : D
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
Answer : A, B
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
Answer : A
https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 '- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration' 'You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the 'Enable HA' checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value'
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
Answer : B, D, E
To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.
To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.
The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.
The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.
An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.
QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.
A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.
QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule
An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User
Answer : D
View the screenshots
A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?
Answer : B, D
An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
Answer : C
In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
Answer : A
An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4
An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?
Answer : A
A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.
In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)
Answer : A, D, E
For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:
A . External zones with the virtual systems added:
External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.
D . Add a route with next hop next-vr by using the VR configured in the virtual system:
When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.
E . Ensure the virtual systems are visible to one another:
Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.
By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)
Answer : B, C, D
Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?
Answer : D
A company has recently migrated their branch office's PA-220S to a centralized Panoram
a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
Answer : A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
Answer : D
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?
Answer : B
The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.
Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
Answer : A
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
Answer : D
An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?
Answer : C
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
Answer : B
Set the Action to take when matching a packet:
Forward---Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.
Discard---Drops the packet.
No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Answer : C
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
Which type of zone will allow different virtual systems to communicate with each other?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Answer : D
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)
Which CLI command displays the physical media that are connected to ethernet1/8?
Answer : B
The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.
For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.
What configuration change is necessary to implement this troubleshooting solution for the user?
Answer : C
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)
Answer : A, B, C
What happens when the log forwarding built-in action with tagging is used?
Answer : A
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.
A . Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
Answer : A, C, D
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat
a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
Answer : C
For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.
C . The process involves:
Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.
Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.
This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
Answer : B, C
Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.
Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Answer : A
Which administrative authentication method supports authorization by an external service?
Answer : C
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
Answer : A
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
Answer : A
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
Answer : B, D
When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:
B . Template stacks:
Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.
D . Variables:
Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.
By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
Answer : A, B, D
Which log type is supported in the Log Forwarding profile?
Answer : C
An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?
Answer : A
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
Answer : C
When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?
Answer : D
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
Answer : D
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
Answer : A
An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
Answer : B, C, E
PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
Answer : B, C
>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
Answer : D
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices
A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?
Answer : B
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
Answer : D
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
What should an engineer consider when setting up the DNS proxy for web proxy?
Answer : A
Which log type is supported in the Log Forwarding profile?
Answer : C
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
Answer : D
Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)
Answer : A, D
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
Answer : A, C, D
A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:
A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.
C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.
D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
Answer : A
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
Answer : B
A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat
a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
Answer : C
For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.
C . The process involves:
Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.
Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.
This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
Answer : A
What happens when the log forwarding built-in action with tagging is used?
Answer : A
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.
A . Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.
What type of NAT is required to configure transparent proxy?
Answer : D
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
Answer : A, D
For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.
For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
Which two statements correctly describe Session 380280? (Choose two.)
Answer : A, C
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Answer : B
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs
If a URL is in multiple custom URL categories with different actions, which action will take priority?
Answer : C
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
1 block
2 override
3 continue
4 alert
5 allow
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Which three sessions are created by a NGFW for web proxy? (Choose three.)
Answer : A, B, C
Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
Answer : B, D
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Answer : A
A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.
Which command should they use?
Answer : D
To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.
An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?
Answer : C
To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.
C . This can be achieved by:
Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.
Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.
This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram
Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which log type is supported in the Log Forwarding profile?
Answer : C
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
Answer : C
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
Answer : A
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
Answer : C
To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.
To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.
This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.
An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.
Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)
Answer : B, C
Which administrative authentication method supports authorization by an external service?
Answer : C
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects
Which type of role-based access is most appropriate for this project?
Answer : C
Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
What must be configured to apply tags automatically based on User-ID logs?
Answer : D
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Answer : C
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?
Answer : D
An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.
Which installer package file should the administrator download from the support site?
Answer : A
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
Answer : B
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first
For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
Answer : A
A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)
Answer : A, D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Answer : D, D
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
Refer to the exhibit.
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?
Answer : B
Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?
Answer : A
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Answer : C, D
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Answer : C
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.
Where can the firewall engineer define the data to be added into each forwarded log?
Answer : A
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format
Step-by-Step
Understanding Log Forwarding in PAN-OS:
Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.
Traffic logs can be customized to include additional information that meets the audit or operational requirements.
Syslog Server Profiles:
Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.
These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).
Custom Log Format:
Navigate to Device > Server Profiles > Syslog.
Within the Syslog Server Profile, define a Custom Log Format for traffic logs.
Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.
Field Specification:
In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.
Example:
$receive_time,$src,$dst,$app,$action,$rule
The engineer can include specific details as requested by the audit team.
Comparison of Other Options:
Option B: Built-in Actions within Objects > Log Forwarding Profile
Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.
Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.
Option C: Logging and Reporting Settings within Device > Setup > Management
These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.
Option D: Data Patterns within Objects > Custom Objects
Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.
Why A is Correct?
The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.
This flexibility allows the firewall engineer to meet specific compliance or audit requirements.
Documentation Reference:
PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.
PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.
The UDP-4501 protocol-port is to between which two GlobalProtect components?
Answer : B
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
Answer : B
Which translated port number should be used when configuring a NAT rule for transparent proxy?
Answer : C
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
Which type of zone will allow different virtual systems to communicate with each other?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)
Answer : C, D
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?
Answer : D
Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.
Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
Answer : A, B
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?
Answer : D
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Answer : C, D
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.
In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)
Answer : A, C
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?
Answer : C
To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.
C . This can be achieved by:
Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.
Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.
This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.
In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)
Answer : A, D, E
For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:
A . External zones with the virtual systems added:
External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.
D . Add a route with next hop next-vr by using the VR configured in the virtual system:
When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.
E . Ensure the virtual systems are visible to one another:
Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.
By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?
Answer : B
WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.
Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
Answer : C
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?
Answer : C
The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?
Answer : B
In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
Answer : A
A company wants to use GlobalProtect as its remote access VPN solution.
Which GlobalProtect features require a Gateway license?
Answer : C
Review the screenshots.
What is the most likely reason for this decryption error log?
Answer : D
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.
What must the administrator consider as they prepare to configure the decryption policy?
Answer : B
For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?
Answer : A
The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.
Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
Answer : A
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.
Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?
Answer : B
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects
Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?
Answer : B
What must be configured to apply tags automatically based on User-ID logs?
Answer : D
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)
Why would a traffic log list an application as "not-applicable''?
Answer : A
traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.
When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)
Answer : C, D
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?
Answer : A
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.
When firewall-01 is rebooted, is there any action taken by the firewalls?
Answer : C
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
Answer : B
When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.
Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
Answer : D
Which log type would provide information about traffic blocked by a Zone Protection profile?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC
D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.
Verified Reference:
1:Zone protection profiles - Palo Alto Networks Knowledge Base
2:Threat Log Fields - Palo Alto Networks
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?
Answer : C
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
Answer : B
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls
Which type of zone will allow different virtual systems to communicate with each other?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)
Answer : C, D
A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.
Which command should they use?
Answer : D
To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
Answer : C
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
Answer : D
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices
Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : D
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
Answer : D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
Answer : D
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
Answer : B, D
When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:
B . Template stacks:
Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.
D . Variables:
Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.
By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
In the following image from Panorama, why are some values shown in red?
Answer : C
Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?
Answer : C
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Answer : C, D
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
Answer : B, C
A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?
Answer : B
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
Answer : B
All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?
Answer : A
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Answer : B, C, E
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?
Answer : A
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
Answer : D
URL profile action alert.
File Profile action alert.
AV and Wildfire action Reset-both
Policy Action Allow.
The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
Answer : D
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
The UDP-4501 protocol-port is to between which two GlobalProtect components?
Answer : B
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.
Which option should the administrator use?
Answer : A
If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
Answer : A, B
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
Answer : A, D
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution
How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
Which log type would provide information about traffic blocked by a Zone Protection profile?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC
D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.
Verified Reference:
1:Zone protection profiles - Palo Alto Networks Knowledge Base
2:Threat Log Fields - Palo Alto Networks
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
Answer : B
When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.
Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?
Answer : C
Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.
Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
Answer : C
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
Answer : B
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Answer : D, D
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
Answer : C
To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.
To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.
This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.
View the screenshots
A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?
Answer : B, D
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
Answer : D
URL profile action alert.
File Profile action alert.
AV and Wildfire action Reset-both
Policy Action Allow.
The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
Which operation will impact the performance of the management plane?
Answer : B
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?
Answer : D
A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?
Answer : B
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?
Answer : C
An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.
Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)
Answer : B, C
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
Which log type would provide information about traffic blocked by a Zone Protection profile?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC
D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.
Verified Reference:
1:Zone protection profiles - Palo Alto Networks Knowledge Base
2:Threat Log Fields - Palo Alto Networks
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
Answer : A
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.
Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
Answer : B
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first
While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.
How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?
Answer : A
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
Answer : D
URL profile action alert.
File Profile action alert.
AV and Wildfire action Reset-both
Policy Action Allow.
The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
Answer : A, B, D
What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : C
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
Answer : B
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
Answer : B
A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
Answer : A
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
Answer : A
A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)
Answer : C, D
To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.
Option A (Threat Prevention) lacks DNS-specific features for this use case. Option B (Vulnerability Protection) doesn't include DNS misconfiguration settings. Documentation confirms Anti-Spyware with DNS Security for this purpose.
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
Answer : D
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
In the following image from Panorama, why are some values shown in red?
Answer : C
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : D
Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?
Answer : B
The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.
Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
Answer : C
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
Answer : A
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
Answer : A
Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)
Answer : B, D
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
Answer : B, D, E
To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.
To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.
The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.
The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.
An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.
QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.
A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.
QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule
Which administrative authentication method supports authorization by an external service?
Answer : C
Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?
Answer : C
The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can provide a solution?
Answer : B
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram
a. In which section is this configured?
Answer : D
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
Answer : C
A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
Answer : A
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
Answer : B
The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?
Answer : D
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
Answer : B, D
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
What type of NAT is required to configure transparent proxy?
Answer : D
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
Answer : A
Refer to the exhibit.
Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
Answer : D
In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.
The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can provide a solution?
Answer : B
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
Answer : A, D
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What must the company do in order to use PAN-OS MFA?
Answer : D
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : C
Which protocol is supported by Global Protect clientless VPN
Answer : C
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?
Answer : C
If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites.The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall.Reference:SSL Decryption Exclusion,Troubleshoot Unsupported Cipher Suites
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
Answer : B, C
Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.
Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)
Answer : A, B, C
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
Answer : A
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Answer : D
A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What must the company do in order to use PAN-OS MFA?
Answer : D
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
Answer : B
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Answer : B, C, E
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
Answer : D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
Answer : A, D
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)
Answer : A, D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?
Answer : C
The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?
Answer : B
When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.
Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
Answer : A, D
SAML SLO is supported for which two firewall features? (Choose two.)
Answer : A, B
Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.
Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?
Answer : B
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)
Answer : B, C, E
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?
Answer : A
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?
Answer : A
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
Answer : D
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Answer : C
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
Answer : B
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat
a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
Answer : C
For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.
C . The process involves:
Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.
Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.
This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?
Answer : A
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
Answer : A
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
Answer : A, D
When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)
Answer : C, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha
These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:
HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
Answer : C
In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.
C . Place a more specific NAT rule above the broader one:
Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.
Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.
Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.
This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
Answer : A
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
An administrator plans to install the Windows User-ID agent on a domain member system.
What is a best practice for choosing where to install the User-ID agent?
Answer : C
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
Answer : C
A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
Which active-passive HA firewall state describes the firewall that is currently processing traffic?
Answer : C
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
Answer : B
When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.
Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
Answer : C
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
Refer to the exhibit.
Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
Answer : D
In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.
The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.
The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
Answer : C
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
Answer : B
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
As a best practice, logging at session start should be used in which case?
Answer : A
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
Answer : C
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
Answer : A
https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 '- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration' 'You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the 'Enable HA' checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value'
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
Answer : D
Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?
Answer : B
For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.
Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
How does Panorama prompt VMWare NSX to quarantine an infected VM?
Answer : A
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
Answer : A, D
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)
Answer : A, B, C
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Answer : A
Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)
Answer : A, D
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.
Where can the firewall engineer define the data to be added into each forwarded log?
Answer : A
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format
Step-by-Step
Understanding Log Forwarding in PAN-OS:
Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.
Traffic logs can be customized to include additional information that meets the audit or operational requirements.
Syslog Server Profiles:
Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.
These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).
Custom Log Format:
Navigate to Device > Server Profiles > Syslog.
Within the Syslog Server Profile, define a Custom Log Format for traffic logs.
Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.
Field Specification:
In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.
Example:
$receive_time,$src,$dst,$app,$action,$rule
The engineer can include specific details as requested by the audit team.
Comparison of Other Options:
Option B: Built-in Actions within Objects > Log Forwarding Profile
Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.
Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.
Option C: Logging and Reporting Settings within Device > Setup > Management
These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.
Option D: Data Patterns within Objects > Custom Objects
Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.
Why A is Correct?
The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.
This flexibility allows the firewall engineer to meet specific compliance or audit requirements.
Documentation Reference:
PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.
PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Answer : C
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
Answer : C
To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.
To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.
This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.
A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.
Which command should they use?
Answer : D
To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.
While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.
How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?
Answer : A
Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?
Answer : D
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
Answer : A, C, D
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?
Answer : A
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
Answer : D
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.
D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:
The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Answer : D
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
Answer : D
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects
Which type of role-based access is most appropriate for this project?
Answer : C
Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?
Answer : A
View the screenshots
A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?
Answer : B, D
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Answer : D, D
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
Answer : A
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.
Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages
The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?
Answer : B
When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.
Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
As a best practice, logging at session start should be used in which case?
Answer : A
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
Exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
Answer : D
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
Answer : A
Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)
Answer : C, D
Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?
Answer : C
When troubleshooting Palo Alto Networks services, such as dynamic updates, verifying the status of service routes is critical. Service routes determine how the firewall communicates with external services (e.g., Palo Alto Networks update servers, WildFire, DNS, etc.) from the Management Plane or data plane interfaces.
Why 'debug dataplane internal vif route 250' is Correct
Purpose of the Command:
This command allows administrators to view the service routes configured on the firewall and verify if they are installed correctly and actively working.
The number 250 specifically refers to service routes in the Management Plane.
Output:
The command displays detailed information about service routes, including routing decisions, source interfaces, and next-hop IPs.
Helps identify issues such as:
Incorrect interface configuration.
Invalid next-hop IPs.
Missing routes for specific services.
Analysis of Other Options
debug dataplane internal vif route 255
Incorrect:
The number 255 does not correspond to service routes but is used for internal route debugging unrelated to management plane service routes.
show routing route type management
Incorrect:
This command does not exist in PAN-OS CLI. It might be a misrepresentation of another command.
debug dataplane internal vif route 250
Correct:
As explained above, this is the correct command for verifying service routes in the Management Plane.
show routing route type service-route
Incorrect:
This is not a valid PAN-OS CLI command.
PAN-OS Documentation Reference
Service Routes in PAN-OS 11.0:
The configuration and verification of service routes are covered under the Device > Setup > Services section of the GUI.
For CLI, the debug dataplane internal vif route 250 command is specifically used for troubleshooting service routes in the Management Plane.
For more details, refer to:
PAN-OS 11.0 CLI Guide: Covers debugging tools and service route verification.
PCNSA Study Guide: Domain 1 includes service route configurations and their importance in maintaining connectivity for management services.
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution
How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
Answer : A, C, D
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Answer : D
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
Answer : B
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Answer : C
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.
When firewall-01 is rebooted, is there any action taken by the firewalls?
Answer : C
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
Refer to Exhibit:
An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)
B)
C)
D)
Answer : A
Where can a service route be configured for a specific destination IP?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted
What is the result of traffic that matches the "Alert - Threats" Profile Match List?
Answer : C
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
Answer : A, B
An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.
Which installer package file should the administrator download from the support site?
Answer : A
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
The UDP-4501 protocol-port is to between which two GlobalProtect components?
Answer : B
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
Answer : A, D
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
Answer : C
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
Answer : A, B, C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?
Answer : B
The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.
Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
Answer : B, C
Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.
Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
Answer : A
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
Which source is the most reliable for collecting User-ID user mapping?
Answer : D
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
PBF can address which two scenarios? (Choose two.)
Answer : A, B
Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:
A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.
B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.
PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.
A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)
Answer : A, B
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
Answer : C
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
Answer : D
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?
Answer : A
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
Which operation will impact the performance of the management plane?
Answer : B
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted
What is the result of traffic that matches the "Alert - Threats" Profile Match List?
Answer : C
A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.
What must occur to have Antivirus signatures update?
Answer : D
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
As a best practice, which URL category should you target first for SSL decryption?
Answer : B
Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.
Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
Answer : C
In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.
C . Place a more specific NAT rule above the broader one:
Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.
Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.
Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.
This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?
Answer : A
Which method will dynamically register tags on the Palo Alto Networks NGFW?
An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?
Answer : A
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
Answer : B
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?
Answer : C
Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.
Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Answer : D
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : C
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)
Answer : A, B, C
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
Which feature can provide NGFWs with User-ID mapping information?
Answer : C
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?
Answer : C
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects
Which type of role-based access is most appropriate for this project?
Answer : C
Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.
A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)
Answer : A, B
Which link is responsible for synchronizing sessions between high availability (HA) peers?
Answer : D
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.
Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?
Answer : B
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
Answer : A
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.
However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.
What must occur to have Antivirus signatures update?
Answer : D
Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?
Answer : D
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
Answer : A, B, D
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
Answer : D
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
Answer : D
The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message.To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate12.Reference:Keys and Certificates for Decryption Policies,How to Configure SSL Decryption
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
Answer : B, C
Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.
Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
What are two requirements of IPSec in transport mode? (Choose two.)
Answer : C, D
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Answer : B
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs
Which new PAN-OS 11.0 feature supports IPv6 traffic?
Answer : A
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
Answer : D
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview
An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?
Answer : C
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
Answer : A
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
Answer : B
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?
Answer : C
Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?
Answer : B
The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.
Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
Answer : C
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)
Answer : C, D
To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.
Option A (Threat Prevention) lacks DNS-specific features for this use case. Option B (Vulnerability Protection) doesn't include DNS misconfiguration settings. Documentation confirms Anti-Spyware with DNS Security for this purpose.
Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)
Answer : B, D
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
Answer : A, C, D
A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:
A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.
C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.
D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.
A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
Answer : A
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.
However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
Why would a traffic log list an application as "not-applicable''?
Answer : A
traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
Which type of zone will allow different virtual systems to communicate with each other?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?
Answer : A
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
Which statement regarding HA timer settings is true?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram
a. In which section is this configured?
Answer : D
If a URL is in multiple custom URL categories with different actions, which action will take priority?
Answer : C
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
1 block
2 override
3 continue
4 alert
5 allow
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What can the administrator do to correct this issue?
Answer : B
In Panorama, zones defined in a template must be linked to a device group for visibility in policy creation. Adding the template as a reference template in the device group (Option B) ensures its zones are available in the policy editor's drop-down list.
Option A (master device) affects User-ID, not zones. Option C (add firewall) is a prerequisite, not a fix. Option D (share objects) is unrelated to zones. Documentation specifies reference templates for this issue.
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.
What should the engineer do to complete the configuration?
Answer : B
If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb
Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?
Answer : B
The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.
Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.
Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?
Answer : B
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
Answer : A, D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
Given the following configuration, which route is used for destination 10 10 0 4?
Answer : A
An engineer troubleshoots a high availability (HA) link that is unreliable.
Where can the engineer view what time the interface went down?
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
Answer : D
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
Answer : A
An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram
Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
Answer : A
Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted
What is the result of traffic that matches the "Alert - Threats" Profile Match List?
Answer : C
What is the best description of the Cluster Synchronization Timeout (min)?
Answer : A
The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)
Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)
Answer : B, D
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Answer : C, D
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
Answer : B
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?
Answer : C
To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.
C . This can be achieved by:
Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.
Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.
This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)
Answer : B, C, E
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
Answer : A, B
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
Answer : A
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.
Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?
Answer : D
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
Answer : D
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.
Which sessions does Packet Buffer Protection apply to?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection
Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?
Answer : C
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
Answer : A
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Answer : B, C, E
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
Answer : A
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
Answer : C
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
Answer : D
What are two requirements of IPSec in transport mode? (Choose two.)
Answer : C, D
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
Answer : D
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
Answer : B
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:
- Source zone: Outside and source IP address 1.2.2.2
- Destination zone: Outside and destination IP address 2.2.2.1
The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.
Which destination IP address and zone should the engineer use to configure the security policy?
Answer : C
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
Answer : D
An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.
When firewall-01 is rebooted, is there any action taken by the firewalls?
Answer : C
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)
Answer : C, D
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
Answer : B
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
Answer : A
A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?
Answer : C
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
Answer : C
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
Answer : B, C, D
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?
Answer : D
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?
Answer : B
When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.
Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.
The UDP-4501 protocol-port is to between which two GlobalProtect components?
Answer : B
If a URL is in multiple custom URL categories with different actions, which action will take priority?
Answer : C
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
1 block
2 override
3 continue
4 alert
5 allow
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC
Which statement regarding HA timer settings is true?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
Answer : A
A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?
Answer : D
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : B, D
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
Answer : B, C
Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.
Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
Answer : B, D
The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?
Answer : C
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
Which CLI command displays the physical media that are connected to ethernet1/8?
Answer : B
The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.
For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
Answer : A
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
Answer : D
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : D
A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?
Answer : D
Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.
Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter.
What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : B
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
Answer : B
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
Answer : A, B, C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols
A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?
Answer : D
While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.
How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?
Answer : A
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat
a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
Answer : C
For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.
C . The process involves:
Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.
Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.
This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
Which three items must be configured to implement application override? (Choose three )
Answer : A, B, C
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-application-override
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPDrCAO
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)
Answer : B, D
In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)
Answer : A, C
How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?
Answer : A
Perfect Forward Secrecy (PFS) ensures unique session keys per VPN session, enabled under the IKE Gateway advanced options (Option A) by selecting a Diffie-Hellman (DH) group. This resolves Phase 2 mismatches if the peer requires PFS.
Option B (IPsec Tunnel) doesn't directly control PFS. Option C (DH Group in IPsec Crypto) is related but not the enablement point. Option D (authentication algorithm) is unrelated. Documentation specifies IKE Gateway for PFS.
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration?
Answer : A
A standalone firewall with local objects and policies needs to be migrated into Panoram
a. What procedure should you use so Panorama is fully managing the firewall?
Answer : C
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
Which active-passive HA firewall state describes the firewall that is currently processing traffic?
Answer : C
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
Answer : B, D
When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:
B . Template stacks:
Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.
D . Variables:
Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.
By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)
Answer : A, B, C
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?
Answer : A
A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)
Answer : A, D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?
Answer : B
A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?
Answer : D
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
Answer : D
Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted
What is the result of traffic that matches the "Alert - Threats" Profile Match List?
Answer : C
A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram
a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?
Answer : B
A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?
Answer : D
Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)
Answer : B, D
Which tool can gather information about the application patterns when defining a signature for a custom application?
Answer : C
Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.
Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
Answer : A
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)
Answer : C, D
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Answer : B
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs
What should an engineer consider when setting up the DNS proxy for web proxy?
Answer : A
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.
However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?
Answer : D
What happens when the log forwarding built-in action with tagging is used?
Answer : A
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.
A . Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?
Answer : C
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?
Answer : D
What is the best description of the Cluster Synchronization Timeout (min)?
Answer : A
The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
Answer : B
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
Which translated port number should be used when configuring a NAT rule for a transparent proxy?
Answer : C
A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.
Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
Which link is responsible for synchronizing sessions between high availability (HA) peers?
Answer : D
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?
Answer : D
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?
Answer : C
Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.
Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."
How should the administrator remediate this issue?
Answer : C
What is the best definition of the Heartbeat Interval?
Answer : C
The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK
'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
Exhibit.
Given the screenshot, how did the firewall handle the traffic?
Answer : B
What are two requirements of IPSec in transport mode? (Choose two.)
Answer : C, D
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?
Answer : D
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?
Answer : B
In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.
Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?
Answer : C
The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.
What should the engineer do to complete the configuration?
Answer : B
If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?
Answer : B
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?
Answer : A
An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?
Answer : A
What is the purpose of the firewall decryption broker?
Answer : A
An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?
Answer : A
Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.
Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?
Answer : B
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
Answer : A, C, D
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
Answer : C
Which two statements correctly describe Session 380280? (Choose two.)
Answer : A, C
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?
Answer : A
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
Answer : A
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?
Answer : B
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
Answer : B
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
An engineer troubleshoots a high availability (HA) link that is unreliable.
Where can the engineer view what time the interface went down?
Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?
Answer : A
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)
Answer : B, C, E
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
Answer : B
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
Answer : A
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
Answer : A, C, D
A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:
A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.
C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.
D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.
Which translated port number should be used when configuring a NAT rule for transparent proxy?
Answer : C
A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?
Answer : A
An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
Answer : B, C, E
PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
Answer : B
The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram
a. In which section is this configured?
Answer : D
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?
Answer : B
A company has recently migrated their branch office's PA-220S to a centralized Panoram
a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
Answer : A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'
Answer : D
An administrator has been tasked with configuring decryption policies,
Which decryption best practice should they consider?
Answer : A
The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.
Which translated port number should be used when configuring a NAT rule for a transparent proxy?
Answer : C
A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.
Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
Answer : A, B
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
Answer : A
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
SAML SLO is supported for which two firewall features? (Choose two.)
Answer : A, B
All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?
Answer : A
Which two actions can the administrative role called "vsysadmin" perform? (Choose two)
Answer : B, C
The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.
Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
Answer : A
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
Answer : A
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.
Which command should they use?
Answer : D
To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
Answer : B
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
Answer : A
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
Answer : D
Which tool can gather information about the application patterns when defining a signature for a custom application?
Answer : C
Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.
Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.
Where can a service route be configured for a specific destination IP?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?
Answer : D
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
Answer : B
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."
How should the administrator remediate this issue?
Answer : C
For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
Answer : A
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.
Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?
Answer : B
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
Answer : A
How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?
Answer : B
An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.
Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
Answer : B, D
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)
Answer : C, D, E
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?
Answer : A
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
Answer : B
How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?
Answer : A
Perfect Forward Secrecy (PFS) ensures unique session keys per VPN session, enabled under the IKE Gateway advanced options (Option A) by selecting a Diffie-Hellman (DH) group. This resolves Phase 2 mismatches if the peer requires PFS.
Option B (IPsec Tunnel) doesn't directly control PFS. Option C (DH Group in IPsec Crypto) is related but not the enablement point. Option D (authentication algorithm) is unrelated. Documentation specifies IKE Gateway for PFS.
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.
How can this be achieved?
Answer : D
A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?
Answer : A
A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
Answer : C
To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.
To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.
This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Answer : C
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
Answer : B, D
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
Answer : D
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Answer : C, D
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
What must be configured to apply tags automatically based on User-ID logs?
Answer : D
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
Answer : B
Which two actions can the administrative role called "vsysadmin" perform? (Choose two)
Answer : B, C
The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.
Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.
What should an engineer consider when setting up the DNS proxy for web proxy?
Answer : A
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which two statements correctly describe Session 380280? (Choose two.)
Answer : A, C
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?
Answer : B
The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.
Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
Answer : B
A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.
How can the administrator ensure that User-IDs are populated in the traffic logs?
Answer : D
A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Answer : D, D
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:
In the following image from Panorama, why are some values shown in red?
Answer : C
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.
The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
Answer : C
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
Answer : B
When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)
Answer : C, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha
These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:
HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.
An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
Answer : C
In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?
Answer : C
If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites.The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall.Reference:SSL Decryption Exclusion,Troubleshoot Unsupported Cipher Suites
What type of NAT is required to configure transparent proxy?
Answer : D
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
Answer : D
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
Answer : B
When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.
Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
Which CLI command displays the physical media that are connected to ethernet1/8?
Answer : B
The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.
For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.
Which protocol is supported by GlobalProtect Clientless VPN?
Answer : D
Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies
https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
Answer : A
Where can a service route be configured for a specific destination IP?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?
Answer : D
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Answer : D
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
Answer : B, C
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B . Application override policy rule:
This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.
C . Security policy rule:
After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution
How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
Answer : B, D
When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:
B . Template stacks:
Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.
D . Variables:
Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.
By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.
All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?
Answer : A
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Answer : B, C, E
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.
Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)
Answer : B, C
A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.
What protections does this policy provide to the enterprise?
Answer : D
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.
Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
Answer : B, C
An engineer is configuring a firewall with three interfaces:
* MGT connects to a switch with internet access.
* Ethernet1/1 connects to an edge router.
* Ethernet1/2 connects to a visualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?
Answer : A
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
Which CLI command displays the physical media that are connected to ethernet1/8?
Answer : B
The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.
For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?
Answer : B
The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.
Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections
What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?
Answer : B
Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.
The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.
Exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
Answer : D
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?
Answer : A
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
Answer : A, D
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?
Answer : A, C
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
Answer : A, D
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
Answer : B, C
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
Answer : B
An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?
Answer : C
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)
Answer : A, D
For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.
For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.
Which rule type controls end user SSL traffic to external websites?
Answer : B
The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.
This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
Answer : C
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
Answer : C
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?
Answer : C
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Answer : D
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What can the administrator do to correct this issue?
Answer : B
In Panorama, zones defined in a template must be linked to a device group for visibility in policy creation. Adding the template as a reference template in the device group (Option B) ensures its zones are available in the policy editor's drop-down list.
Option A (master device) affects User-ID, not zones. Option C (add firewall) is a prerequisite, not a fix. Option D (share objects) is unrelated to zones. Documentation specifies reference templates for this issue.
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
Answer : B, D, E
To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.
To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.
The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.
The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.
An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.
QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.
A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.
QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
Which is not a valid reason for receiving a decrypt-cert-validation error?
Answer : A
Refer to Exhibit:
An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)
B)
C)
D)
Answer : A
Which two actions can the administrative role called "vsysadmin" perform? (Choose two)
Answer : B, C
The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.
Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
Based on the image, what caused the commit warning?
Answer : D
A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What must the company do in order to use PAN-OS MFA?
Answer : D
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
Answer : D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?
Answer : D
'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
Answer : A
A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?
Answer : A
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
Which statement regarding HA timer settings is true?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.
Which sessions does Packet Buffer Protection apply to?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection
Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
Answer : D
Which protocol is supported by GlobalProtect Clientless VPN?
Answer : D
Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies
https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
Answer : B, D, E
To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.
To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.
The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.
The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.
An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.
QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.
A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.
QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?
Answer : C
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?
Answer : C
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
Answer : A
https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 '- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration' 'You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the 'Enable HA' checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value'
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.
Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
Answer : A
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution
How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Answer : C
An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
Answer : B, D, E
To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.
To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.
The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.
The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.
An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.
QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.
A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.
QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule
Where can a service route be configured for a specific destination IP?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.
When firewall-01 is rebooted, is there any action taken by the firewalls?
Answer : C
In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)
Answer : A, C
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
Answer : C
In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG
For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?
Answer : A
The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.
Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : B, D
In a template, which two objects can be configured? (Choose two.)
Answer : B, C
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-monitor.html
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?
Answer : C
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?
Answer : A
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
Answer : D
An administrator has been tasked with configuring decryption policies,
Which decryption best practice should they consider?
Answer : A
The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
Answer : B, C
Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.
Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.
An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?
Answer : C
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
Refer to the exhibit.
Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
Answer : D
In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.
The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
Answer : B, D
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
Answer : A, C
When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.
Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)
Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?
Answer : B
For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.
Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?
Answer : D
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
Answer : B, C, D
An engineer is configuring a firewall with three interfaces:
* MGT connects to a switch with internet access.
* Ethernet1/1 connects to an edge router.
* Ethernet1/2 connects to a visualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?
Answer : A
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
Which CLI command displays the physical media that are connected to ethernet1/8?
Answer : B
The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.
For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
Answer : C
In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.
C . Place a more specific NAT rule above the broader one:
Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.
Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.
Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.
This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
Answer : B, C
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
Answer : A, C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
Refer to the exhibit.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram
a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)
B)
C)
D)
Which feature can provide NGFWs with User-ID mapping information?
Answer : C
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Answer : B, C, E
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
As a best practice, logging at session start should be used in which case?
Answer : A
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram
a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?
Answer : B
During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?
Answer : B
WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.
Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.
What configuration change is necessary to implement this troubleshooting solution for the user?
Answer : C
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
Answer : D
Exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
Answer : D
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
A company wants to add threat prevention to the network without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : A, D
A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing.This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.
A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire.The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.
D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN.The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.
Verified Reference:
1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan
2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html
3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html
What is the best definition of the Heartbeat Interval?
Answer : C
The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK
'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK
An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Answer : B
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
Answer : C
Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
Answer : B, D
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
Answer : A, B, D
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
The UDP-4501 protocol-port is to between which two GlobalProtect components?
Answer : B
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.
Which sessions does Packet Buffer Protection apply to?
Answer : A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?
Answer : B
For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.
Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.
What must the administrator consider as they prepare to configure the decryption policy?
Answer : B
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
Answer : B, C, D
How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?
Answer : B
An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.
Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.
Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?
Answer : C
The 'No direct access to local network' setting in the GlobalProtect Gateway's Client Settings under Split Tunnel (Option C) prevents local resource access when enabled. Disabling it allows split tunneling to permit local traffic, resolving the issue.
Option A (Network Services) is a mispath. Option B (Satellite) applies to different configs. Option D (Portal App) doesn't control this behavior. Documentation confirms this Gateway setting.
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
Answer : B, D
The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
Answer : C
Refer to the exhibit.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram
a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)
B)
C)
D)
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.
What does Advanced WildFire do when the link is clicked?
Answer : B
Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.
The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.
Step-by-Step Explanation
Link Clicked and File Download Triggered:
When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.
URL Inspection by WildFire:
The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:
Known malicious indicators.
Suspicious elements like embedded scripts, links, or calls to external resources.
Forwarding the PE File for Analysis:
The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.
Dynamic and Static Analysis:
Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:
Suspicious code patterns.
Known malicious signatures.
Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).
Dynamic Analysis: The file is executed in a controlled virtual environment to observe:
Behavioral anomalies, like privilege escalation attempts.
Network communication, such as connections to Command and Control (C2) servers.
File system modifications or registry changes indicative of malicious intent.
Threat Verdict:
Based on its findings, WildFire classifies the URL and PE file into one of the following categories:
Benign.
Grayware.
Malware.
Phishing.
Automated Response:
If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:
Blocking access to the webpage.
Quarantining or blocking the downloaded file.
Generating a detailed alert or log entry for administrators.
Signature Update:
WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.
Advanced WildFire Configuration and Behavior
Forwarding File Types:
The WildFire analysis profile must be configured to forward relevant file types. In this case:
PE files are commonly forwarded by default since they are a known vector for malware.
Administrators can define custom forwarding rules based on file type and traffic.
Integration with the Security Profile:
WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).
URL Filtering ensures that the link itself is categorized and blocked if malicious.
WildFire's output informs and updates the threat prevention database dynamically.
Why the Answer is B?
WildFire performs dual analysis:
The linked webpage is checked for malicious scripts or phishing attempts.
The PE file downloaded is analyzed for malware through both static and dynamic methods.
This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.
Document Reference:
PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.
Palo Alto Networks WildFire Admin Guide:
This guide details file forwarding configurations, supported file types, and the global signature distribution process.
PAN-OS Admin Guide:
Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.
A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?
Answer : C
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
Which operation will impact the performance of the management plane?
Answer : B
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
Which tool can gather information about the application patterns when defining a signature for a custom application?
Answer : C
Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.
Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)
Answer : A, C
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
Answer : B
Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?
Answer : D
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
Answer : A, C, D
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.
When firewall-01 is rebooted, is there any action taken by the firewalls?
Answer : C
A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram
a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?
Answer : B
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
Which three statements accurately describe Decryption Mirror? (Choose three.)
Answer : B, D, E
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.
Which new PAN-OS 11.0 feature supports IPv6 traffic?
Answer : A
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
Answer : A, D
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
An enterprise network security team is deploying VM-Series firewalls in a multi-cloud environment. Some firewalls are deployed in VMware NSX-V, while others are in AWS, and all are centrally managed using Panorama with the appropriate plugins installed. The team wants to streamline policy management by organizing the firewalls into device groups in which the AWS-based firewalls act as a parent device group, while the NSX-V firewalls are configured as a child device group to inherit Security policies. However, after configuring the device group hierarchy and attempting to push configurations, the team receives errors, and policy inheritance is not functioning as expected. What is the most likely cause of this issue?
Answer : D
Panorama's device group hierarchy supports policy inheritance, but it does not support inheritance across groups with firewalls on different hypervisors (e.g., AWS and NSX-V) when managed by multiple plugins (Option D). AWS and NSX-V firewalls use distinct plugins (e.g., AWS Plugin, NSX Plugin), and Panorama restricts cross-hypervisor inheritance due to differing configurations and contexts, causing errors when pushing policies.
Option A (plugin versions) is unrelated to inheritance. Option B (object overrides) isn't a requirement for this issue. Option C (command) is fictional. Documentation confirms this limitation.
A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.
What does Advanced WildFire do when the link is clicked?
Answer : B
Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.
The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.
Step-by-Step Explanation
Link Clicked and File Download Triggered:
When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.
URL Inspection by WildFire:
The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:
Known malicious indicators.
Suspicious elements like embedded scripts, links, or calls to external resources.
Forwarding the PE File for Analysis:
The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.
Dynamic and Static Analysis:
Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:
Suspicious code patterns.
Known malicious signatures.
Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).
Dynamic Analysis: The file is executed in a controlled virtual environment to observe:
Behavioral anomalies, like privilege escalation attempts.
Network communication, such as connections to Command and Control (C2) servers.
File system modifications or registry changes indicative of malicious intent.
Threat Verdict:
Based on its findings, WildFire classifies the URL and PE file into one of the following categories:
Benign.
Grayware.
Malware.
Phishing.
Automated Response:
If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:
Blocking access to the webpage.
Quarantining or blocking the downloaded file.
Generating a detailed alert or log entry for administrators.
Signature Update:
WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.
Advanced WildFire Configuration and Behavior
Forwarding File Types:
The WildFire analysis profile must be configured to forward relevant file types. In this case:
PE files are commonly forwarded by default since they are a known vector for malware.
Administrators can define custom forwarding rules based on file type and traffic.
Integration with the Security Profile:
WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).
URL Filtering ensures that the link itself is categorized and blocked if malicious.
WildFire's output informs and updates the threat prevention database dynamically.
Why the Answer is B?
WildFire performs dual analysis:
The linked webpage is checked for malicious scripts or phishing attempts.
The PE file downloaded is analyzed for malware through both static and dynamic methods.
This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.
Document Reference:
PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.
Palo Alto Networks WildFire Admin Guide:
This guide details file forwarding configurations, supported file types, and the global signature distribution process.
PAN-OS Admin Guide:
Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
A company has recently migrated their branch office's PA-220S to a centralized Panoram
a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
Answer : A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
Which three items must be configured to implement application override? (Choose three )
Answer : A, B, C
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-application-override
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPDrCAO
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
Answer : B
Which operation will impact the performance of the management plane?
Answer : B
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Answer : B, C, E
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?
Answer : C
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?
Answer : C
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
Answer : C
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)
Answer : B, D
Palo Alto firewalls can gather User-ID mappings from proxies via Syslog (Option B), parsing log messages with user-IP data, and XFF Headers (Option D), extracting user info from HTTP headers (X-Forwarded-For) if the proxy supports it.
Option A (Client Probing) queries clients, not proxies. Option C (Server Monitoring) targets servers like AD, not proxies. Documentation lists these methods for proxy integration.
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
Answer : A
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
Answer : A, D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?
Answer : D
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
Answer : C
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
Answer : B, D
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
A company wants to add threat prevention to the network without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : A, D
A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing.This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.
A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire.The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.
D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN.The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.
Verified Reference:
1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan
2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html
3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html
Which operation will impact the performance of the management plane?
Answer : B
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
Answer : A, D
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
Answer : D
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
Answer : B, C, E
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
Answer : B
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
Which active-passive HA firewall state describes the firewall that is currently processing traffic?
Answer : C
Which Panorama feature protects logs against data loss if a Panorama server fails?
Answer : B
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group
'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?
Answer : B
The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.
Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)
Answer : B, D
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : B, D
An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.
Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)
Answer : B, C
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
Answer : D
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.
D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:
The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
Answer : B
What is the best description of the Cluster Synchronization Timeout (min)?
Answer : A
The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)
Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?
Answer : D
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
Why would a traffic log list an application as "not-applicable''?
Answer : A
traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
Answer : A
Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)
Answer : A, D
Which feature can provide NGFWs with User-ID mapping information?
Answer : C
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?
Answer : B
When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.
Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
Answer : A, B, C
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
Answer : B
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
Answer : B
When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.
Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
Answer : A, D
A customer would like to support Apple Bonjour in their environment for ease of configuration.
Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?
Answer : C
Based on the image, what caused the commit warning?
Answer : D
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
Answer : A, B
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can provide a solution?
Answer : B
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?
Answer : B
To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.
Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
Answer : B, D
The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
Answer : C
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
As a best practice, logging at session start should be used in which case?
Answer : A
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.
When firewall-01 is rebooted, is there any action taken by the firewalls?
Answer : C
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : B, D
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Answer : D
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)
How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?
Answer : B
An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.
Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
Which source is the most reliable for collecting User-ID user mapping?
Answer : D
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
Answer : D
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?
Answer : C
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?
Answer : A
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
Answer : B
How does Panorama prompt VMWare NSX to quarantine an infected VM?
Answer : A
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
Answer : D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.
How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?
Answer : A
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram
a. In which section is this configured?
Answer : D
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
Answer : C
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
An existing log forwarding profile is currently configured to forward all threat logs to Panoram
a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.
Which set of actions should the engineer take to achieve this goal?
Answer : C
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.
What must occur to have Antivirus signatures update?
Answer : D
In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)
Answer : A, B
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?
Answer : C
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.
However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : B, D
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
Which rule type controls end user SSL traffic to external websites?
Answer : B
The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.
This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Which three sessions are created by a NGFW for web proxy? (Choose three.)
Answer : A, B, C
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
Answer : D
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?
Answer : A
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.
What does Advanced WildFire do when the link is clicked?
Answer : B
Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.
The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.
Step-by-Step Explanation
Link Clicked and File Download Triggered:
When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.
URL Inspection by WildFire:
The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:
Known malicious indicators.
Suspicious elements like embedded scripts, links, or calls to external resources.
Forwarding the PE File for Analysis:
The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.
Dynamic and Static Analysis:
Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:
Suspicious code patterns.
Known malicious signatures.
Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).
Dynamic Analysis: The file is executed in a controlled virtual environment to observe:
Behavioral anomalies, like privilege escalation attempts.
Network communication, such as connections to Command and Control (C2) servers.
File system modifications or registry changes indicative of malicious intent.
Threat Verdict:
Based on its findings, WildFire classifies the URL and PE file into one of the following categories:
Benign.
Grayware.
Malware.
Phishing.
Automated Response:
If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:
Blocking access to the webpage.
Quarantining or blocking the downloaded file.
Generating a detailed alert or log entry for administrators.
Signature Update:
WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.
Advanced WildFire Configuration and Behavior
Forwarding File Types:
The WildFire analysis profile must be configured to forward relevant file types. In this case:
PE files are commonly forwarded by default since they are a known vector for malware.
Administrators can define custom forwarding rules based on file type and traffic.
Integration with the Security Profile:
WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).
URL Filtering ensures that the link itself is categorized and blocked if malicious.
WildFire's output informs and updates the threat prevention database dynamically.
Why the Answer is B?
WildFire performs dual analysis:
The linked webpage is checked for malicious scripts or phishing attempts.
The PE file downloaded is analyzed for malware through both static and dynamic methods.
This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.
Document Reference:
PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.
Palo Alto Networks WildFire Admin Guide:
This guide details file forwarding configurations, supported file types, and the global signature distribution process.
PAN-OS Admin Guide:
Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
Answer : C
The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.
Reference https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals
A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?
Answer : D
Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.
Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)
Answer : C, D, E
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows
Answer : A
An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:
- Source zone: Outside and source IP address 1.2.2.2
- Destination zone: Outside and destination IP address 2.2.2.1
The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.
Which destination IP address and zone should the engineer use to configure the security policy?
Answer : C
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Answer : A
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.
However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)
Answer : C, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha
These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:
HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.
HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.
Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?
Answer : B
In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.
Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.
Answer : A
To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a 'master device' must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.
Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama's User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.
Refer to the exhibit.
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?
Answer : B
Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.
Where can the firewall engineer define the data to be added into each forwarded log?
Answer : A
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format
Step-by-Step
Understanding Log Forwarding in PAN-OS:
Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.
Traffic logs can be customized to include additional information that meets the audit or operational requirements.
Syslog Server Profiles:
Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.
These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).
Custom Log Format:
Navigate to Device > Server Profiles > Syslog.
Within the Syslog Server Profile, define a Custom Log Format for traffic logs.
Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.
Field Specification:
In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.
Example:
$receive_time,$src,$dst,$app,$action,$rule
The engineer can include specific details as requested by the audit team.
Comparison of Other Options:
Option B: Built-in Actions within Objects > Log Forwarding Profile
Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.
Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.
Option C: Logging and Reporting Settings within Device > Setup > Management
These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.
Option D: Data Patterns within Objects > Custom Objects
Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.
Why A is Correct?
The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.
This flexibility allows the firewall engineer to meet specific compliance or audit requirements.
Documentation Reference:
PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.
PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.
The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
Answer : C
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
Which protocol is supported by GlobalProtect Clientless VPN?
Answer : D
Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies
https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?
Answer : A
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
Answer : B
The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Answer : A
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
Answer : B, C
>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
Answer : D
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)
Answer : A, B, C
User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on their usernames, IP addresses, and other attributes1. User-ID information can be collected from various sources, such as:
A: Windows User-ID agent: A software agent that runs on a Windows server and collects user information from Active Directory domain controllers, Exchange servers, or eDirectory servers2.The agent then sends the user information to the firewall or Panorama for user mapping2.
B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the network3.GlobalProtect also collects user information from the endpoints and sends it to the firewall or Panorama for user mapping4.
C: XMLAPI: An application programming interface that allows external systems or scripts to send user information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with third-party systems, such as identity providers, captive portals, or custom applications.
Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?
Answer : C
The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
Answer : D
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516
Which translated port number should be used when configuring a NAT rule for a transparent proxy?
Answer : C
A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.
Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.
What should an engineer consider when setting up the DNS proxy for web proxy?
Answer : A
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
Answer : A
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
Answer : C
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.
C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
Answer : B
The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other
During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?
Answer : B
WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.
Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.
Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?
Answer : B
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
What are three prerequisites for credential phishing prevention to function? (Choose three.)
Answer : A, D, E
Which rule type controls end user SSL traffic to external websites?
Answer : B
The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.
This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
An administrator plans to install the Windows User-ID agent on a domain member system.
What is a best practice for choosing where to install the User-ID agent?
Answer : C
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)
Answer : A, B, C
Which new PAN-OS 11.0 feature supports IPv6 traffic?
Answer : A
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
As a best practice, which URL category should you target first for SSL decryption?
Answer : B
Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.
Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.
A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?
Answer : A
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections
What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?
Answer : B
Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.
The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
Answer : B, D
The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?
Answer : B
When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.
Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.
Exhibit.
Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Answer : A
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG
REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
Which log type is supported in the Log Forwarding profile?
Answer : C
An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.
Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?
Answer : A
An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.
Which installer package file should the administrator download from the support site?
Answer : A
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration?
Answer : A
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
Answer : C, D
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?
Answer : B
The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.
Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
Answer : C
As a best practice, logging at session start should be used in which case?
Answer : A
A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.
In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)
Answer : A, D, E
For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:
A . External zones with the virtual systems added:
External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.
D . Add a route with next hop next-vr by using the VR configured in the virtual system:
When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.
E . Ensure the virtual systems are visible to one another:
Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.
By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
Answer : C
In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.
C . Place a more specific NAT rule above the broader one:
Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.
Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.
Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.
This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.
After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Answer : D
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
Answer : B
Set the Action to take when matching a packet:
Forward---Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.
Discard---Drops the packet.
No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
Answer : A, B
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
Answer : D
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Answer : D
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Answer : D
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?
Answer : C
When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the 'Preview Changes' feature.
A . Click Preview Changes under Push Scope:
The 'Preview Changes' option is available under the 'Push Scope' in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.
This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.
This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.
A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?
Answer : D
An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User
Answer : D
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)
Answer : B, C
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
Answer : B
All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?
Answer : A
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?
Answer : B
The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.
Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.
Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?
Answer : B
In the following image from Panorama, why are some values shown in red?
Answer : C
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
Answer : D
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)
Which translated port number should be used when configuring a NAT rule for a transparent proxy?
Answer : C
A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.
Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.
Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)
A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?
Answer : A
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Answer : D
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule
Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?
Answer : C
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?
Answer : C
An administrator has been tasked with configuring decryption policies,
Which decryption best practice should they consider?
Answer : A
The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
Answer : A, C, D
A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:
A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.
C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.
D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
Answer : A
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.
Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Answer : C
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?
Answer : C
What are three prerequisites for credential phishing prevention to function? (Choose three.)
Answer : A, D, E
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
Answer : A
Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)
Answer : B, D
Which log type is supported in the Log Forwarding profile?
Answer : C
An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?
Answer : A
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
Answer : B
An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?
Answer : B
An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User
Answer : D
How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?
Answer : B
An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.
Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.
A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?
Answer : D
Which log type would provide information about traffic blocked by a Zone Protection profile?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC
D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.
Verified Reference:
1:Zone protection profiles - Palo Alto Networks Knowledge Base
2:Threat Log Fields - Palo Alto Networks
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
Answer : A
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.
Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
Answer : B
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
Answer : A, C
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
Answer : D
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.
D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:
The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
Answer : A, D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?
Answer : C
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
Answer : A
An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."
How should the administrator remediate this issue?
Answer : C
When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)
Answer : A, D
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
Answer : C
In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG
A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram
a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?
Answer : B
When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)
Answer : C, D
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?
Answer : B
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?
Answer : B
In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.
Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
Answer : D
Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?
Answer : D
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?
Answer : A
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?
Answer : C
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?
Answer : B
In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
Answer : D
In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)
Answer : A, C
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
Answer : C
In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.
C . Place a more specific NAT rule above the broader one:
Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.
Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.
Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.
This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
Answer : B
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.
What are the default values for ping interval and ping count before a failover is triggered?
Answer : C
Ping Interval---Specify the interval between pings that are sent to the destination IP address (range is 200 to 60,000ms; default is 200ms).
Ping Count---Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).
The UDP-4501 protocol-port is to between which two GlobalProtect components?
Answer : B
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
Answer : C
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
Answer : B
When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.
Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?
Answer : A
Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)
Answer : C, D, E
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
Which statement applies to HA timer settings?
Answer : D
High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.
Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.
A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
Answer : A
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
Answer : B
Set the Action to take when matching a packet:
Forward---Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.
Discard---Drops the packet.
No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
Answer : C
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.
A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)
Answer : B, C
Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.
Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:
- Source zone: Outside and source IP address 1.2.2.2
- Destination zone: Outside and destination IP address 2.2.2.1
The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.
Which destination IP address and zone should the engineer use to configure the security policy?
Answer : C
An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)
Answer : C, D
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
Answer : B, C
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.
For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.
Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)
Answer : A, D
Where can a service route be configured for a specific destination IP?
Answer : C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)
Answer : A, B, D
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.
Which action is the most operationally efficient for the security engineer to find and implement the exception?
Answer : D
A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.
Which command should they use?
Answer : D
To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.
An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?
Answer : C
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
Answer : A
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?
Answer : C
Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.
Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.
An administrator plans to install the Windows User-ID agent on a domain member system.
What is a best practice for choosing where to install the User-ID agent?
Answer : C
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
Answer : D
URL profile action alert.
File Profile action alert.
AV and Wildfire action Reset-both
Policy Action Allow.
The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
Refer to the exhibit.
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?
Answer : B
Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9
Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?
Answer : C
When troubleshooting Palo Alto Networks services, such as dynamic updates, verifying the status of service routes is critical. Service routes determine how the firewall communicates with external services (e.g., Palo Alto Networks update servers, WildFire, DNS, etc.) from the Management Plane or data plane interfaces.
Why 'debug dataplane internal vif route 250' is Correct
Purpose of the Command:
This command allows administrators to view the service routes configured on the firewall and verify if they are installed correctly and actively working.
The number 250 specifically refers to service routes in the Management Plane.
Output:
The command displays detailed information about service routes, including routing decisions, source interfaces, and next-hop IPs.
Helps identify issues such as:
Incorrect interface configuration.
Invalid next-hop IPs.
Missing routes for specific services.
Analysis of Other Options
debug dataplane internal vif route 255
Incorrect:
The number 255 does not correspond to service routes but is used for internal route debugging unrelated to management plane service routes.
show routing route type management
Incorrect:
This command does not exist in PAN-OS CLI. It might be a misrepresentation of another command.
debug dataplane internal vif route 250
Correct:
As explained above, this is the correct command for verifying service routes in the Management Plane.
show routing route type service-route
Incorrect:
This is not a valid PAN-OS CLI command.
PAN-OS Documentation Reference
Service Routes in PAN-OS 11.0:
The configuration and verification of service routes are covered under the Device > Setup > Services section of the GUI.
For CLI, the debug dataplane internal vif route 250 command is specifically used for troubleshooting service routes in the Management Plane.
For more details, refer to:
PAN-OS 11.0 CLI Guide: Covers debugging tools and service route verification.
PCNSA Study Guide: Domain 1 includes service route configurations and their importance in maintaining connectivity for management services.
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?
Answer : C
When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the 'Preview Changes' feature.
A . Click Preview Changes under Push Scope:
The 'Preview Changes' option is available under the 'Push Scope' in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.
This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.
This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
Answer : B, D, E
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
Answer : B, C, E
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?
Answer : D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
Answer : C
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html
A company has recently migrated their branch office's PA-220S to a centralized Panoram
a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
Answer : A
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
When using certificate authentication for firewall administration, which method is used for authorization?
Answer : A
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.
A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)
Answer : A, B
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?
Answer : D
Exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
Answer : D
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)
Site A configuration:
Answer : C, D
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
Answer : C
The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.
Reference https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
Answer : B, D
Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?
Answer : D
An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)
Answer : C, D
What can the Log Forwarding built-in action with tagging be used to accomplish?
Answer : B
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?
Answer : D
How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?
Answer : B
An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.
Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
Answer : B
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Answer : D
Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?
Answer : D
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
As a best practice, which URL category should you target first for SSL decryption?
Answer : B
Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.
Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.
Answer : A
To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a 'master device' must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.
Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama's User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?
Answer : A
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?
Answer : C
Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.
Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
Exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
Answer : D
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
Answer : D
During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?
Answer : B
WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.
Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.
In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)
Answer : A, B
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?
Answer : A
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
In the following image from Panorama, why are some values shown in red?
Answer : C
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
Answer : A
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
Answer : B
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?
Answer : D
An administrator is building Security rules within a device group to block traffic to and from malicious locations.
How should those rules be configured to ensure that they are evaluated with a high priority?
Answer : A
In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.
For verification, please refer to the Palo Alto Networks 'PAN-OS Administrator's Guide' or the official configuration documentation for Panorama and device group rules.
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)
Answer : B, C
Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?
Answer : A
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?
Answer : C
SAML SLO is supported for which two firewall features? (Choose two.)
Answer : A, B
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
Answer : B, C
To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B . Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C . Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
Answer : B, D
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
Answer : A
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Answer : B
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
Answer : A, B
In a template, which two objects can be configured? (Choose two.)
Answer : B, C
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-monitor.html
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
Answer : B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?
Answer : B
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Answer : B
A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.
What is the engineer's next step?
Answer : B
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?
Answer : C
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.
C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:
If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
Answer : A, B, D
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
Answer : A, B, E
https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
Answer : D
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?
Answer : B
In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.
Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
Answer : A, C, D
A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:
A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.
C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.
D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
Answer : A
How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?
Answer : A
Perfect Forward Secrecy (PFS) ensures unique session keys per VPN session, enabled under the IKE Gateway advanced options (Option A) by selecting a Diffie-Hellman (DH) group. This resolves Phase 2 mismatches if the peer requires PFS.
Option B (IPsec Tunnel) doesn't directly control PFS. Option C (DH Group in IPsec Crypto) is related but not the enablement point. Option D (authentication algorithm) is unrelated. Documentation specifies IKE Gateway for PFS.
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)
Answer : A, C, D
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?
Answer : B
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)
How does Panorama prompt VMWare NSX to quarantine an infected VM?
Answer : A
Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)
Answer : B, D
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
Answer : D
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
Answer : B
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
Answer : B
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.
B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:
First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
Answer : B
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
An engineer troubleshoots a high availability (HA) link that is unreliable.
Where can the engineer view what time the interface went down?
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Answer : D
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule
An administrator is building Security rules within a device group to block traffic to and from malicious locations.
How should those rules be configured to ensure that they are evaluated with a high priority?
Answer : A
In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.
For verification, please refer to the Palo Alto Networks 'PAN-OS Administrator's Guide' or the official configuration documentation for Panorama and device group rules.
An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Answer : A
An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?
Answer : C
A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat
a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?
Answer : C
For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.
C . The process involves:
Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.
Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.
This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.
Which protocol is natively supported by GlobalProtect Clientless VPN?
Answer : C
In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)
Answer : A, C
Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?
Answer : D
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
Answer : B
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.
Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?
Answer : D
When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)
Answer : C, D
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
Answer : C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD