PCNSE-Exam4sure

Paloalto Networks
PCNSE
Palo Alto Networks

Certified Security
Engineer (PCNSE)
PAN-OS 11.0
Version: 42.1
Web: www.exams4sure.com
[ Total Questions: 250]
Email: support@exams4sure.com
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at feedback@exams4sure.com
Support
If you have any questions about our product, please provide the following items:
exam code
screenshot of the question
login id/email
please contact us at support@exams4sure.com and our technical experts will provide support within 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Practice Exam Paloalto Networks - PCNSE
Question #:1
An engineer troubleshoots a high availability (HA) link that is unreliable.
Where can the engineer view what time the interface went down?
A. Monitor > Logs > System
B. Device > High Availability > Active/Passive Settings
C. Monitor > Logs > Traffic
D. Dashboard > Widgets > High Availability
Answer: A
Question #:2
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance
for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
A. Exclude video traffic
B. Enable decryption
C. Block traffic that is not work-related
D. Create a Tunnel Inspection policy
Answer: A C
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
Question #:3
An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)
A. DNS Proxy
B. SSL/TLS profiles
C. address groups
D. URL Filtering profiles
Leaders in it certification 1 of 151

Answer: C D
Question #:4
When backing up and saving configuration files, what is achieved using only the firewall and is not available
in Panorama?
A. Export device state
B. Load configuration version
C. Load named configuration snapshot
D. Save candidate config
Answer: A
Question #:5
Match the terms to their corresponding definitions
Answer:

Explanation

A close-up of a computer screen Description automatically generated
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-
guide.pdf page 83
Question #:6
An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4
address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message?
A. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate
B. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure
C. Check whether the VPN peer on one end is set up correctly using policy-based VPN
D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or
disabled on both VPN peers.
Answer: C

Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-
messages
The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo Alto
Networks firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn
/interpret-vpn-error-messages.html
Question #:7
Given the following snippet of a WildFire submission log, did the end user successfully download a file?
A. No, because the URL generated an alert.
B. Yes, because both the web-browsing application and the flash file have the 'alert" action.
C. Yes, because the final action is set to "allow.''
D. No, because the action for the wildfire-virus is "reset-both."
Answer: B
Question #:8
A firewall administrator to have visibility on one segment of the company network. The traffic on the segment
is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after
getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there
are enough system resources to get extra traffic on the firewall. The administrator needs to complete this
operation with minimum service interruptions and without making any IP changes. What is the best option for
the administrator to take?
A. Configure a Layer 3 interface for segment X on the firewall
B. Configure the TAP interface for segment X on the firewall.
C. Configure a new vsys for segment X on the firewall
D. Configure vwire interfaces for segment X on the firewall.
Answer: D
Question #:9
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks
appliances.

Which profile should be configured in order to achieve this?
A. SSH Service profile
B. SSL/TLS Service profile
C. Certificate profile
D. Decryption profile
Answer: A
Explanation
SSL/TLS profile is only the TLS versions, not ciphers. Decryption Profile is for SSL Inbound and Forward
Proxy applications, not mgmt of the PANW Firewall. There's also KB articles to strengthen SSH, but I
couldn't find any for HTTPS, on the mgmt interface: https://knowledgebase.paloaltonetworks.com
/KCSArticleDetail?id=kA14u0000004OOQCA2&lang=en_US%E2%80%A9
Question #:10
Which three items must be configured to implement application override? (Choose three )
A. Custom app
B. Security policy rule
C. Application override policy rule
D. Decryption policy rule
E. Application filter
Answer: A B C
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-application-override
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPDrCAO
Question #:11
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In
which section is this configured?
A. Monitor > Logs > System
B. Objects > Log Forwarding
C.

C. Panorama > Managed Devices
D. Device > Log Settings
Answer: D
Question #:12
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-
ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for
users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were
not captured on the domain controllers that were being monitored Information Security found that
authentication events existed on the Identity Management solution (IDM). There did not appear to be direct
integration between PAN-OS and the IDM solution
How can Information Security extract and learn iP-to-user mapping information from authentication events
for VPN and wireless users?
A. Add domain controllers that might be missing to perform security-event monitoring for VPN and
wireless users.
B. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
C. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from
the IDM solution
D. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for
IP-to-User mapping.
Answer: B
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-
user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f
Question #:13

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted
What is the result of traffic that matches the "Alert - Threats" Profile Match List?
A. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180
minutes.
B. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
C. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
D. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180
minutes.
Answer: C
Question #:14
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain,
and application?
A. No Direct Access to local networks
B. Tunnel mode
C.

C. iPSec mode
D. Satellite mode
Answer: B
Question #:15
An engineer manages a high availability network and requires fast failover of the routing protocols. The
engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
A. OSPF
B. RIP
C. BGP
D. IGRP
E. OSPFv3 virtual link
Answer: A B C
Explanation
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-
routing-protocols
Question #:16
Given the following snippet of a WildFire submission log did the end-user get access to the requested
information and why or why not?
A. Yes, because the action is set to alert
B. No, because this is an example from a defeated phishing attack
C. No, because the severity is high and the verdict is malicious.
D.

D. Yes, because the action is set to allow.
Answer: D
Explanation
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-
action/td-p/143516
Question #:17
An administrator is attempting to create policies tor deployment of a device group and template stack. When
creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
A. Specify the target device as the master device in the device group
B. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings
C. Add the template as a reference template in the device group
D. Add a firewall to both the device group and the template
Answer: C
Explanation
In order to see what is in a template, the device-group needs the template referenced. Even if you add the
firewall to both the template and device-group, the device-group will not see what is in the template. The
following link has a video that demonstrates that B is the correct answer. https://knowledgebase.
paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG
Question #:18
Which rule type controls end user SSL traffic to external websites?
A. SSL Outbound Proxyless Inspection
B. SSL Forward Proxy
C. SSH Proxy
D. SSL Inbound Inspection
Answer: B
Explanation

The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external
websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as
an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested
website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the
user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security
policies before re-encrypting and forwarding the traffic to its destination.
This process is transparent to the end user and ensures that potentially harmful content delivered over
encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a
comprehensive security strategy, allowing organizations to enforce security policies and protect against
threats in encrypted traffic.
Question #:19
Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
A. Successful GlobalProtect Deployed Activity
B. GlobalProtect Deployment Activity
C. GlobalProtect Quarantine Activity
D. Successful GlobalProtect Connection Activity
Answer: B D
Question #:20
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
A. NAT
B. DOS protection
C. QoS
D. Tunnel inspection
Answer: C
Explanation
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This
is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based
on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth
and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By
using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to
different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the
network performance and ensure the quality of service for critical applications and devices.

Question #:21
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks
Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best Practice standard?
(Choose three.)
A. Low
B. High
C. Critical
D. Informational
E. Medium
Answer: B C E
Explanation
https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-
security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-
anti-spyware-profile
The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures
(PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the
malicious traffic for further analysis and investigation. PCAP should not be enabled for low and informational
severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared
to potential threats2. References: Create the Data Center Best Practice Anti-Spyware Profile, Security Profile:
Anti-Spyware, PCNSE Study Guide (page 57)
Question #:22
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's
Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate
CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional
device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the
company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on
the firewall for use with decryption?
A. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
C.

C. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
D. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
Answer: B
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Question #:23
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.
What should they review with their leadership before implementation?
A. Browser-supported cipher documentation
B. Cipher documentation supported by the endpoint operating system
C. URL risk-based category distinctions
D. Legal compliance regulations and acceptable usage policies
Answer: D
Explanation
The engineer should review the legal compliance regulations and acceptable usage policies with their
leadership before implementing SSL Forward Proxy decryption for their organization. SSL Forward Proxy
decryption allows the firewall to decrypt and inspect the traffic from internal users to external servers. This
can raise privacy and legal concerns for the users and the organization. Therefore, the engineer should ensure
that the leadership is aware of the implications and benefits of SSL Forward Proxy decryption and that they
have a clear policy for informing and obtaining consent from the users. Option A is incorrect because browser-
supported cipher documentation is not relevant for SSL Forward Proxy decryption. The firewall uses its own
cipher suite to negotiate encryption with the external server, regardless of the browser settings. Option B is
incorrect because cipher documentation supported by the endpoint operating system is not relevant for SSL
Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external
server, regardless of the endpoint operating system. Option C is incorrect because URL risk-based category
distinctions are not relevant for SSL Forward Proxy decryption. The firewall can decrypt and inspect traffic
based on any URL category, not just risk-based ones.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts "Understand
local laws and regulations about the traffic you can legally decrypt and user notification requirements."
Question #:24

An administrator is informed that the engineer who previously managed all the VPNs has left the company.
According to company policies the administrator must update all the IPSec VPNs with new pre-shared keys
Where are the pre-shared keys located on the firewall?
A. Network/lPSec Tunnels
B. Network/Network Profiles/IKE Gateways
C. Network/Network ProfilesTlPSec Crypto
D. Network/Network Profiles/IKE Crypto
Answer: B
Question #:25
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the
details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
A. show system setting ssl-decrypt certificate
B. show system setting ssl-decrypt certs
C. debug dataplane show ssl-decrypt ssl-certs
D. show system setting ssl-decrypt certificate-cache
Answer: A
Question #:26
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the
screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP
(ping)
A. Hello Interval
B. Promotion Hold Time
C. Heartbeat Interval
D. Monitor Fail Hold Up Time

Answer: B
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-timers
Question #:27
A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.
Which command should they use?
A. test routing route ip 10.2.5.3 *
B. test routing route ip 10.2.5.3 virtual-router default
C. test routing fib-lookup ip 10.2.5.0/24 virtual-router default
D. test routing fib-lookup ip 10.2.5.3 virtual-router default
Answer: D
Explanation
To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the
appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs
a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified
virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table
and the associated forwarding information to determine the next-hop and the egress interface for the given IP
address. This command is instrumental for troubleshooting and verifying routing decisions made by the
firewall to ensure that traffic is routed as expected through the network infrastructure.
Question #:28
A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter
Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to
implement?
A. Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push
them to the firewalls.
B. Create custom vulnerability signatures manually on one firewall export them, and then import them to
the rest of the firewalls
C. Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the
firewalls.
D. Create custom vulnerability signatures manually in Panorama, and push them to the firewalls
Answer: C

Question #:29
An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a
specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in these
rules?
A. A service route to the LDAP server
B. A Master Device
C. Authentication Portal
D. A User-ID agent on the LDAP server
Answer: B
Explanation
https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG
Question #:30
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect
gateway?
A. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
B. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
D. It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.
Answer: C
Explanation
The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users.
It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance.
However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a
fallback mechanism.
C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default
behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can
still be established, maintaining secure remote access for the user even in environments where IPSec is
not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.
This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure
access for remote users under various network conditions.
Question #:31
An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a
self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?
A. An Enterprise Root CA certificate
B. The same certificate as the Forward Trust certificate
C. A Public Root CA certificate
D. The same certificate as the Forward Untrust certificate
Answer: B
Question #:32
Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)
A. HA cluster members must share the same zone names.
B. Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces
C. Panorama must be used to manage HA cluster members.
D. HA cluster members must be the same firewall model and run the same PAN-OS version.
Answer: B D
Question #:33
Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3
and to the destination 10.46.41.113?
A. ethernet1/6
B. ethernet1/3
C. ethernet1/7
D. ethernet1/5
Answer: D
Explanation

In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So
if any traffic coming as ingress from 1/7, it has to go out via 1/5.
The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination
10.46.41.113 will be ethernet1/5. This is because the traffic will match the virtual wire with interfaces
ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201. The
traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are
assigned to ethernet1/7 and ethernet1/5 respectively2. Therefore, the traffic will be forwarded to the same
interface from which it was received, which is ethernet1/53.
Question #:34
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose
three.)
A. Voice
B. Fingerprint
C. SMS
D. User certificate
E. One-time password
Answer: C D E
Explanation
The firewall can use three multi-factor authentication methods to authenticate access to the firewall: SMS,
user certificate, and one-time password. These methods can be used in combination with other authentication
factors, such as username and password, to provide stronger security for accessing the firewall web interface
or CLI. The firewall can integrate with various MFA vendors that support these methods through RADIUS or
SAML protocols5. Voice and fingerprint are not supported by the firewall as MFA
methods. References: MFA Vendor Support, PCNSE Study Guide (page 48)
Question #:35
In a template, which two objects can be configured? (Choose two.)
A. SD-WAN path quality profile
B. Monitor profile
C. IPsec tunnel
D. Application group
Answer: B C

Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles
/network-network-profiles-monitor.html
Question #:36
An administrator pushes a new configuration from Panorama to a par of firewalls that are configured as an
active/passive HA pair. Which NGFW receives the from Panorama?
A. The active firewall which then synchronizes to the passive firewall
B. The passive firewall, which then synchronizes to the active firewall
C. Both the active and passive firewalls which then synchronize with each other
D. Both the active and passive firewalls independently, with no synchronization afterward
Answer: D
Question #:37
An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the
screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after
losing communications with the HA peer?
A. Additional Master Hold Up Time
C. Monitor Fail Hold Up Time
D. Heartbeat Interval
Answer: B
Question #:38
An administrator is building Security rules within a device group to block traffic to and from malicious
locations.
How should those rules be configured to ensure that they are evaluated with a high priority?
A. Create the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.
B. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

C. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security
rules.
D. Create the appropriate rules with a Block action and apply them at the top of the Default Rules.
Answer: A
Explanation
In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high
priority evaluation, rules should be configured at the top of the rulebase so they are matched before others.
The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by
placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first,
before any device-specific or post-rules.For verification, please refer to the Palo Alto Networks "PAN-OS®
Administrator’s Guide" or the official configuration documentation for Panorama and device group rules.
Question #:39
Exhibit.

Given the screenshot, how did the firewall handle the traffic?
A. Traffic was allowed by profile but denied by policy as a threat.
B. Traffic was allowed by policy but denied by profile as a threat.
C. Traffic was allowed by policy but denied by profile as encrypted.
D. Traffic was allowed by policy but denied by profile as a nonstandard port.
Answer: B

Question #:40
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)
A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.
B. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
C. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the
outgoing request.
D. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of
the proxy.
Answer: C D
Explanation
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-
users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Question #:41
An administrator has been tasked with configuring decryption policies,
Which decryption best practice should they consider?
A. Consider the local, legal, and regulatory implications and how they affect which traffic can be
decrypted.
B. Decrypt all traffic that traverses the firewall so that it can be scanned for threats.
C. Place firewalls where administrators can opt to bypass the firewall when needed.
D. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.
Answer: A
Explanation
The best decryption best practice that the administrator should consider is A: Consider the local, legal, and
regulatory implications and how they affect which traffic can be decrypted. This is because decryption
involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues
depending on the jurisdiction and the type of traffic1. Therefore, the administrator should be aware of the
local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the
appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.

Question #:42
An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall.
However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type,
tx-power, rxpower, vendor name, and part number by using the CLI?
A. show chassis status slot s1
B. show s/stem state filter ethernet1/1
C. show s/stem state filter sw.dev interface config
D. show s/stem state filter-pretty sys.sl*
Answer: D
Question #:43
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection
profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
A. ICMP Drop
B. TCP Drop
C. SYN Random Early Drop
D. TCP Port Scan Block
Answer: A B
Question #:44
An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI
command can the engineer use?
A. test vpn ike-sa
B. test vpn gateway
C. test vpn flow
D. test vpn tunnel
Answer: A

Question #:45
An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been
configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display
the same MAC address being shared for some of these firewalls.
What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in
conflict?
A. Configure a floating IP between the firewall pairs.
B. Change the Group IDs in the High Availability settings to be different from the other firewall pair on
the same subnet.
C. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
D. On one pair of firewalls, run the CLI command: set network interface vlan arp.
Answer: B
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS
Question #:46
Which three actions can Panorama perform when deploying PAN-OS images to its managed devices?
(Choose three.)
A. upload-onlys
B. install and reboot
C. upload and install
D. upload and install and reboot
E. verify and install
Answer: A C D
Explanation
ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html
Question #:47

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on
their policy-based VPN devices.
What should an administrator configure to route interesting traffic through the VPN tunnel?
A. Proxy IDs
B. GRE Encapsulation
C. Tunnel Monitor
D. ToS Header
Answer: A
Question #:48
Four configuration choices are listed, and each could be used to block access to a specific URL.
If you configured each choice to block the same URL, then which choice would be evaluated last in the
processing order to block access to the URL?
A. Custom URL category in URL Filtering profile
B. EDL in URL Filtering profile
C. PAN-DB URL category in URL Filtering profile
D. Custom URL category in Security policy rule
Answer: C
Question #:49
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and
groups defined in Active Directory.
What must be configured in order to select users and groups for those rules from Panorama?
A. A User-ID Certificate profile must be configured on Panorama.
B. The Security rules must be targeted to a firewall in the device group and have Group Mapping
configured.
C. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same
mappings.
D. A master device with Group Mapping configured must be set in the device group where the Security
rules are configured.

Answer: D
Explanation
When building Security rules in a Device Group that need to allow traffic to specific users and groups defined
in Active Directory, it's essential to have user and group information available in Panorama to select these
entities for the rules.
D. A master device with Group Mapping configured must be set in the device group where the Security
rules are configured:
The concept of a "master device" in Panorama refers to a specific firewall that is designated to provide
certain settings or information, such as user and group mappings from Active Directory, to Panorama.
This information can then be used across other firewalls within the same device group.
By configuring Group Mapping on a master device, Panorama can leverage this information to populate
user and group objects. These objects can then be used in Security rules within the device group,
allowing for the creation of policies that are based on user identity and group membership, as defined in
Active Directory.
This setup ensures that Panorama has the necessary context to apply user- and group-based policies
accurately across the managed firewalls, facilitating centralized management and consistency in policy
enforcement.
Question #:50
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an
administrator to compare?
A. The running configuration with the candidate configuration of the firewall
B. Applications configured in the rule with applications seen from traffic matching the same rule
C. Applications configured in the rule with their dependencies
D. The security rule with any other security rule selected
Answer: B
Explanation
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an
administrator to compare the applications configured in the rule with the applications seen from traffic
matching the same rule. This helps the administrator to identify any new applications that are not explicitly
defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured
applications. The compare option also shows the usage statistics and risk levels of the applications, and
provides suggestions for optimizing the rule by adding, removing, or replacing
applications12. References: New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)

Why use Security Policy Optimizer and what are the benefits?
Question #:51
A network security engineer is going to enable Zone Protection on several security zones How can the
engineer ensure that Zone Protection events appear in the firewall's logs?
A. Select the check box "Log packet-based attack events" in the Zone Protection profile
B. No action is needed Zone Protection events appear in the threat logs by default
C. Select the check box "Log Zone Protection events" in the Content-ID settings of the firewall
D. Access the CLI in each firewall and enter the command set system setting additional-threat-log on
Answer: A
Question #:52
A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing
interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
A. DoS Protection profile
B. Data Filtering profile
C. Vulnerability Protection profile
D. URL Filtering profile
Answer: A
Question #:53

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-
OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS
images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
A. Upload the image to Panorama > Software menu, and deploy it to the firewalls. *
B. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the
firewalls.
C. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.
D. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.
Answer: D
Explanation
In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a
manual upload of the downloaded PAN-OS images. The process involves:
D. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls:
The engineer first uploads the downloaded PAN-OS images to Panorama. This is done through the
"Device Deployment" section, specifically under the "Software" menu. This area of Panorama's
interface is designed for managing PAN-OS versions and software updates for the managed devices.
Once the PAN-OS images are uploaded to Panorama, the engineer can then deploy these images to the
firewalls directly from Panorama. This process allows for centralized management of software updates,
ensuring that all firewalls can be updated to the latest PAN-OS version in a consistent and controlled
manner, even without direct internet access.
This method streamlines the update process for environments with strict security requirements, allowing for
the efficient deployment of necessary PAN-OS updates to maintain security and functionality.
Question #:54
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator
confirm that WildFire has identified a virus?
A. By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"
B. By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)'
C. By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"
D. By navigating to Monitor > Logs> Threat, applying filter "(subtype eq virus)"
Answer: A

Question #:55
To ensure that a Security policy has the highest priority, how should an administrator configure a Security
policy in the device group hierarchy?
A. Add the policy to the target device group and apply a master device to the device group.
B. Reference the targeted device's templates in the target device group.
C. Clone the security policy and add it to the other device groups.
D. Add the policy in the shared device group as a pre-rule
Answer: D
Explanation
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups
/manage-the-rule-hierarchy#idfb9e2593-a7f1-4e0d-aab5-a2903d654c99 https://docs.paloaltonetworks.com
/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-
management/device-groups/device-group-policies#id671977ca-1041-4605-8a80-fbc10f3f5d7b
Question #:56
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall
running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not
being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
A. Run the CLI command show advanced-routing ospf neighbor
B. In the WebUI, view the Runtime Stats in the virtual router
C. Look for configuration problems in Network > virtual router > OSPF
D. In the WebUI, view Runtime Stats in the logical router
Answer: A D
Explanation
A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers
/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752
D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-
networking

Question #:57
Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)
A. User logon
B. Push
C. One-Time Password
D. SSH key
E. Short message service
Answer: B C E
Question #:58
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
A. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and
reboot.
B. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and
reboot.
C. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and
reboot.
D. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.
Answer: B
Explanation
The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing
functionalities, allowing for more complex and robust routing configurations. To enable the Advanced
Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab,
select Virtual Routers, and then access the settings for the specific virtual router they wish to configure.
Within the Router Settings under the General tab, there's an option to enable Advanced Routing features.
After enabling this option, the administrator must commit the changes and perform a system reboot for the
changes to take effect. This process allows the firewall to utilize advanced routing protocols and features,
enhancing its ability to manage and route traffic more efficiently across different network segments.
Question #:59
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall
to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates,
the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
A. A web server certificate signed by the organization's PKI
B. A self-signed certificate generated on the firewall
C. A subordinate Certificate Authority certificate signed by the organization's PKI
D. A web server certificate signed by an external Certificate Authority
Answer: B
Question #:60
Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)
A. Threat
B. HIP Match
C. Traffic
D. Configuration
Answer: A C
Question #:61
A company wants to implement threat prevention to take action without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
A. TAP
B. Layer 2
C. Layer 3
D. Virtual Wire
Answer: B D
Question #:62

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action
will further reduce the likelihood of newly discovered malware being allowed through the firewalls?
A. increase the frequency of the applications and threats dynamic updates.
B. Increase the frequency of the antivirus dynamic updates
C. Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.
D. Enable the "Report Grayware Files" option in Device > Setup > WildFire.
Answer: B
Question #:63
Please match the terms to their corresponding definitions.
Answer:
Explanation

Graphical user interface Description automatically generated with medium confidence
Question #:64
An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS
attacks.
Which sessions does Packet Buffer Protection apply to?
A. It applies to existing sessions and is global.
B. It applies to new sessions and is not global.
C. It applies to existing sessions and is not global.
D. It applies to new sessions and is global.
Answer: A
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-
defense/packet-buffer-protection
Question #:65
A firewall engineer has determined that, in an application developed by the company's internal team, sessions
often remain idle for hours before the client and server exchange any data. The application is also currently

identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the
application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for
reporting purposes.
Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the
application?
A. Create a custom application with specific timeouts and signatures based on patterns discovered in
packet captures.
B. Access the Palo Alto Networks website and raise a support request through the Customer Support
Portal.
C. Create a custom application with specific timeouts, then create an application override rule and
reference the custom application.
D. Access the Palo Alto Networks website and complete the online form to request that a new application
be added to App-ID.
Answer: C
Explanation
For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long
periods, creating a custom application and using an application override rule is the most time-efficient
solution.
C. The process involves:
Creating a custom application in the Palo Alto Networks firewall and configuring it with specific
timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does
not prematurely close the application's sessions due to inactivity.
Next, creating an application override rule that references the custom application. This rule directs the
firewall to identify traffic matching the rule criteria (such as source, destination, and port information)
as the custom application, bypassing the App-ID engine's regular identification process.
This approach allows for the quick implementation of a solution that ensures the application is properly
identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification
and reporting.
Question #:66
View the screenshots


A QoS profile and policy rules are configured as shown. Based on this information which two statements are
correct?
A. SMTP has a higher priority but lower bandwidth than Zoom.
B. DNS has a higher priority and more bandwidth than SSH.
C. google-video has a higher priority and more bandwidth than WebEx.
D. Facetime has a higher priority but lower bandwidth than Zoom.
Answer: B D
Question #:67
A firewall administrator wants to be able at to see all NAT sessions that are going ‘through a firewall with
source NAT. Which CLI command can the administrator use?
A. show session all filter nat-rule-source
B. show running nat-rule-ippool rule "rule_name
C. show running nat-policy
D. show session all filter nat source
Answer: D

Question #:68
An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?
A. Data Filtering
B. Configuration
C. Threat
D. Traffic
Answer: C
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4
Question #:69
An engineer is configuring a template in Panorama which will contain settings that need to be applied to all
firewalls in production.
Which three parts of a template an engineer can configure? (Choose three.)
A. NTP Server Address
B. Antivirus Profile
C. Authentication Profile
D. Service Route Configuration
E. Dynamic Address Groups
Answer: A C D
A, C, and D are the correct answers because they are the parts of a template that an engineer can
configure in Panorama. A template is a collection of device and network settings that can be pushed to
multiple firewalls from Panorama1. A template can contain settings such as2:
A: NTP Server Address: This is the address of the Network Time Protocol server that
synchronizes the time on the firewall.
C: Authentication Profile: This is the profile that defines how the firewall authenticates users and
administrators.

D: Service Route Configuration: This is the configuration that specifies which interface and
source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.
Question #:70
Which two are required by IPSec in transport mode? (Choose two.)
A. Auto generated key
B. NAT Traversal
C. IKEv1
D. DH-group 20 (ECP-384 bits)
Answer: C D
Question #:71
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the
internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?
A. A self-signed Certificate Authority certificate generated by the firewall
B. A Machine Certificate for the firewall signed by the organization's PKI
C. A web server certificate signed by the organization's PKI
D. A subordinate Certificate Authority certificate signed by the organization's PKI
Answer: D
Explanation
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-
signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for
each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when
you decommission a device (or device pair) without affecting the rest of the deployment and reduces the
impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each
firewall also helps troubleshoot issues because the CA error message the user sees includes information about
the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the
granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Question #:72

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company
also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors.
There is known logging peak time during the day, and the security team has asked the firewall engineer to
determined how many logs per second the current Palo Alto Networking log processing at that particular time.
Which method is the most time-efficient to complete this task?
A. Navigate to Panorama > Managed Collectors, and open the Statistics windows for each Log Collector
during the peak time.
B. Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find
out how many logs have been received.
C. Navigate to Panorama> Managed Devices> Health, open the Logging tab for each managed firewall
and check the log rates during the peak time.
D. Navigate to ACC> Network Activity, and determine the total number of sessions and threats during the
peak time.
Answer: A
Question #:73
The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the
Panorama servers, but gets an error when attempting the install.
When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?
A. Outdated plugins
B. Global Protect agent version
C. Expired certificates
D. Management only mode
Answer: A
Explanation
One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated
plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud
services and third-party services. Plugins have dependencies on specific PAN-OS versions, so they must be
updated before or after upgrading Panorama, depending on the plugin compatibility matrix2. If the plugins are
not updated accordingly, the upgrade process may fail or cause issues with Panorama
functionality3. References: Panorama Plugins Upgrade/Downgrade Considerations, Troubleshoot Your
Panorama Upgrade, PCNSE Study Guide (page 54)
Question #:74

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover
event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other
HA firewall is operational?
A. Monitor Fail Hold Up Time
C. Heartbeat Interval

D. Hello Interval
Answer: D
Explanation
The timer that determines the frequency between packets sent to verify that the HA functionality on the other
HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between
hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval
is 8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet
from its peer within the specified interval, it will declare the peer as failed and initiate a
failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices
Question #:75
An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed
Panorama configuration has Address Object names that duplicate the Address Objects already configured on
the firewall?
A. The firewall ignores only the pushed objects that have the same name as the locally configured objects,
and it will commit the rest of the pushed configuration.
B. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects
C. The firewall rejects the pushed configuration, and the commit fails.
D. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will
update the references to the objects accordingly and fully commit the pushed configuration.
Answer: C
Question #:76
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama
will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The
administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same
template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)
A. collector groups
B. template stacks
C. virtual systems
D.

D. variables
Answer: B D
Explanation
When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial
to have a scalable configuration approach. Panorama offers several features to help scale configurations
efficiently:
B. Template stacks:
Template stacks in Panorama allow administrators to create a collection of configuration templates that
can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared
settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring
uniformity and reducing the effort required to manage individual firewall configurations.
D. Variables:
Variables in Panorama provide a way to customize template configurations for individual firewalls or
device groups without altering the overall template. For example, a variable can be used to define a
unique IP address, hostname, or other specific settings within a shared template. When the template is
applied, Panorama replaces the variables with the actual values specified for each device or device
group, allowing for customization within a standardized framework.
By using template stacks and variables, an administrator can rapidly deploy and manage configurations across
multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements.
This approach streamlines the deployment process and enhances the manageability of a widespread
GlobalProtect infrastructure.
Question #:77
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent?
(Choose two.)
A. Log Ingestion
B. HTTP
C. Log Forwarding
D. LDAP
Answer: B C
Explanation

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs.
>Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding
profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com
/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
Question #:78
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco
TrustSec Layer 2 protections
What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are
identified and actions are taken upon them?
A. TCP Fast Open in the Strip TCP options
B. Ethernet SGT Protection
C. Stream ID in the IP Option Drop options
D. Record Route in IP Option Drop options
Answer: B
Explanation
Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic.
When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco
TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize
SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.The use of
Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration
documentation and in interoperability guides between Palo Alto Networks and Cisco systems.
Question #:79
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)
A. Windows User-ID agent
B. GlobalProtect
C. XMLAPI
D. External dynamic list
E. Dynamic user groups
Answer: A B C

Explanation
User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on
their usernames, IP addresses, and other attributes1. User-ID information can be collected from various
sources, such as:
A: Windows User-ID agent: A software agent that runs on a Windows server and collects user
information from Active Directory domain controllers, Exchange servers, or eDirectory servers2. The
agent then sends the user information to the firewall or Panorama for user mapping2.
B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the
network3. GlobalProtect also collects user information from the endpoints and sends it to the firewall or
Panorama for user mapping4.
C: XMLAPI: An application programming interface that allows external systems or scripts to send user
information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with
third-party systems, such as identity providers, captive portals, or custom applications.
Question #:80
Which function does the HA4 interface provide when implementing a firewall cluster which contains
firewalls configured as active-passive pairs?
A. Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.
B. Perform synchronization of routes, IPSec security associations, and User-ID information.
C. Perform session cache synchronization for all HA cluster members with the same cluster ID.
D. Perform synchronization of sessions, forwarding tables, and IPSec security associations between
firewalls in an HA pair.
Answer: D
Explanation
In a High Availability (HA) configuration, particularly in an active-passive setup, it's crucial that the passive
unit is kept up to date with the current state of the active unit. This ensures a seamless transition in the event
of a failover. The HA4 interface is dedicated to this synchronization task.
D. Perform synchronization of sessions, forwarding tables, and IPSec security associations between
firewalls in an HA pair:
The HA4 interface is responsible for the synchronization of critical stateful information between the
active and passive units in an HA pair. This includes session information, ensuring that the passive unit
can continue existing sessions without interruption if it needs to become active.

In addition to session information, HA4 also synchronizes forwarding tables, which contain information
on how to route packets, and IPSec security associations, which are necessary for maintaining secure
VPN tunnels.
This synchronization ensures that both units in an HA pair have identical information regarding the current
state of the network, sessions, and security associations, enabling a smooth and immediate transition to the
passive unit in case the active unit fails.
Question #:81
When using certificate authentication for firewall administration, which method is used for authorization?
A. Local
B. Radius
C. Kerberos
D. LDAP
Answer: A
Explanation
When using certificate authentication for firewall administration on Palo Alto Networks devices, the method
used for authorization is typically the Local database. Certificate authentication ensures that the entity
attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for
authentication, the authorization process determines what level of access or permissions the authenticated
entity has. This is usually managed locally on the firewall, where administrators can define roles and
permissions associated with different users or certificates. Thus, the authorization process, in this case,
leverages the Local database to enforce access controls and permissions, aligning with best practices for
secure management of network devices.
Question #:82
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
A. The PanGPS process failed to connect to the PanGPA process on port 4767
B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
C. The PanGPA process failed to connect to the PanGPS process on port 4767
D. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
Answer: C

Explanation
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD
Question #:83
An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama
template and the local firewall configuration.
When overriding the firewall configuration pushed from Panorama, what should you consider?
A. The firewall template will show that it is out of sync within Panorama.
B. The modification will not be visible in Panorama.
C. Only Panorama can revert the override.
D. Panorama will update the template with the overridden value.
Answer: B
Explanation
When managing firewalls with Panorama, configurations can be pushed from Panorama templates to managed
firewalls. However, there are scenarios where specific settings need to be overridden on the local firewall
level due to unique requirements or exceptions.
B. The modification will not be visible in Panorama:
When an override is made directly on the firewall, this change is not automatically reflected back in
Panorama's templates or device groups. The local configuration on the firewall will take precedence
over the Panorama pushed configuration for the overridden settings, but these local changes will not be
visible in the Panorama interface. This means that while Panorama maintains central control and
visibility over the bulk of the configuration, it does not have visibility into local overrides made directly
on the firewalls.
This distinction is crucial for auditors and administrators to understand, as it impacts how configurations are
managed and synchronized between Panorama and the individual firewalls. Local overrides provide flexibility
but require careful management to ensure consistency and compliance with security policies.
Question #:84
The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this
server By default, which component of the Palo Alto Networks firewall architect is responsible for log
forwarding and should be checked for early signs of overutilization?
A. Management plane CPU
B.

B. Dataplane CPU
C. Packet buffers
D. On-chip packet descriptors
Answer: A
Question #:85
Which two items must be configured when implementing application override and allowing traffic through
the firewall? (Choose two.)
A. Application filter
B. Application override policy rule
C. Security policy rule
D. Custom app
Answer: B C
Explanation
When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly
define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process.
This is particularly useful for traffic that might be misidentified by App-ID or for applications that require
special handling for performance reasons.
To successfully implement application override, the following items must be configured:
B. Application override policy rule:This is a specialized policy rule that you create to specify the criteria for
the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports.
Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the
application override policy to classify the traffic.
C. Security policy rule:After defining an application override policy, you must also configure a security
policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny,
drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security
policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is
allowed through the firewall.
For detailed guidance on configuring application override and the necessary security policies, refer to the
official Palo Alto Networks documentation. This resource provides step-by-step instructions and best
practices for effectively managing traffic using application overrides.
Question #:86

An engineer needs to permit XML API access to a firewall for automation on a network segment that is
routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment
cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?
A. Specify the subinterface as a management interface in Setup > Device > Interfaces.
B. Add the network segment's IP range to the Permitted IP Addresses list.
C. Enable HTTPS in an Interface Management profile on the subinterface.
D. Configure a service route for HTTP to use the subinterface.
Answer: C
Explanation
To enable XML API access to a firewall for automation from a network segment routed through a Layer 3
sub-interface, the most straightforward approach is to use an Interface Management profile.
C. This can be achieved by:
Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines
management services that are permitted on the interface, including HTTPS, which is required for XML
API access.
Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables
HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected
network segment to communicate with the firewall for automation purposes.
This solution allows for the secure extension of management capabilities to network segments without direct
access to the dedicated management interface, facilitating automation and operational efficiency without
necessitating changes to existing access configurations.
Question #:87
An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are
mandatory as part of the bootstrap package directory structure? (Choose three.)
A. /content
B. /software
C. /piugins
D. /license
E. /opt

Answer: A B D
Question #:88
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
A. PA-220
B. PA-800 Series
C. PA-5000 Series
D. PA-500
E. PA-3400 Series
Answer: A B E
Explanation
https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-
next-gen-firewalls
Question #:89
A network administrator is trying to prevent domain username and password submissions to phishing sites on
some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential
phishing on the firewall?
A. Choose the URL categories in the User Credential Submission column and set action to block Select the
User credential Detection tab and select Use Domain Credential Filter Commit
B. Choose the URL categories in the User Credential Submission column and set action to block Select the
User credential Detection tab and select use IP User Mapping Commit
C. Choose the URL categories on Site Access column and set action to block Click the User credential
Detection tab and select IP User Mapping Commit
D. Choose the URL categories in the User Credential Submission column and set action to block Select the
URL filtering settings and enable Domain Credential Filter Commit
Answer: A
Explanation

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-
up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-
credential-phishing-prevention
Question #:90
If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?
A. Post-NAT destination address
B. Pre-NAT destination address
C. Post-NAT source address
D. Pre-NAT source address
Answer: C
Explanation
If an administrator wants to apply QoS to traffic based on source, they must specify the post-NAT source
address in a QoS policy rule. This is because QoS is enforced on traffic as it egresses the firewall, and the
firewall applies NAT rules before QoS rules. Therefore, the firewall will match the QoS policy rule based on
the translated source address, not the original source address. If the administrator uses the pre-NAT source
address in the QoS policy rule, the firewall will not be able to identify the traffic correctly and apply the
desired QoS treatment. References:
QoS Policy
Configure QoS
Question #:91
An administrator is required to create an application-based Security policy rule to allow Evernote. The
Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
A. Add the Evernote application to the Security policy rule, then add a second Security policy rule
containing both HTTP and SSL.
B. Create an Application Override using TCP ports 443 and 80.
C. Add the HTTP. SSL. and Evernote applications to the same Security policy.
D. Add only the Evernote application to the Security policy rule.

Answer: D
Explanation
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330
To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the
Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that
identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly
uses SSL and web browsing as dependencies, which means that the firewall automatically allows these
applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web
browsing applications to the same Security policy rule. Adding these applications would broaden the scope of
the rule and potentially allow unwanted traffic12. References: App-ID Overview, Create a Security Policy
Rule
Question #:92
Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose
three.)
A. Check dependencies
B. Schedules
C. Verify
D. Revert content
E. Install
Answer: B D E
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-
device-deployment/manage-software-and-content-updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-
device-deployment/panorama-dynamic-updates-revert-content
Question #:93
Exhibit.

Review the screenshots and consider the following information
1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC
2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
A. Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1
B. Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.
C. Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.
D. Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.
Answer: A
Explanation
Device Group Hierarchy
Shared
DATACENTER_DG
DC_FW_DG

REGIONAL_DG
OFFICE_FW_DG
FW-1_DG
Analysis
Considerations:
FW-1 is assigned to the FW-1_DG device group.
FW-2 is assigned to the OFFICE_FW_DG device group.
There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
The address object Server-1 appears in multiple device groups with different IP addresses. The device groups
have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child
group.
FW-1_DG:
Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device
group.
OFFICE_FW_DG (for FW-2):
Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from
Shared.
In the Shared group, Server-1 has IP 1.1.1.1.
Question #:94
Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)
A. Configure the decryption profile.
B. Define a Forward Trust Certificate.
C. Configure SSL decryption rules.
D. Configure a SSL/TLS service profile.
Answer: B C
Explanation

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must
be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:
B. Define a Forward Trust Certificate:
A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by
the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall
decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes
from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often
requiring the Forward Trust CA certificate to be distributed and installed on client devices.
C. Configure SSL decryption rules:
SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify
the source, destination, service, and URL category, among other criteria. The rules define what traffic
the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy
requirements.
Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the
decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden
within encrypted sessions.
Question #:95
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type
device that is not joined to the corporate domain?
A. an Authentication policy with 'unknown' selected in the Source User field
B. an Authentication policy with 'known-user' selected in the Source User field
C. a Security policy with 'known-user' selected in the Source User field
D. a Security policy with 'unknown' selected in the Source User field
Answer: A
Explanation
For a network security administrator to authenticate and identify a user with a new BYOD-type device that is
not joined to the corporate domain, the most effective method is to use an Authentication policy targeting
users not yet identified by the system.
A. an Authentication policy with 'unknown' selected in the Source User field:
An Authentication policy allows the firewall to challenge unidentified users for credentials. By
selecting 'unknown' in the Source User field, the policy targets users who have not yet been identified
by the firewall, which would include users on new BYOD devices not joined to the domain.

Once the user provides valid credentials, the firewall can authenticate the user and map their identity to
subsequent sessions, enabling the application of user-based policy rules and monitoring.
This approach ensures that new and unknown devices can be properly authenticated and identified without
compromising security or requiring the device to be part of the corporate domain.
Question #:96
Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?
A. Log Collector
B. Panorama
C. Legacy
D. Management Only
Answer: D
Question #:97
An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's
dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?
A. Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for
heartbeat backup
B. Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management
Interface Settings
C. Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup
under Election Settings
D. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications >
Packet Forwarding settings.
Answer: B
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK
Question #:98
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)?
(Choose two.)
A. A Deny policy for the tagged traffic
B. An Allow policy for the initial traffic
C. A Decryption policy to decrypt the traffic and see the tag
D. A Deny policy with the "tag" App-ID to block the tagged traffic
Answer: B D
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups
Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to
configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny
traffic for the activity you want to prevent (in this case, questionable-activity). To tag users, the rule to allow
traffic must have a higher rule number in your rulebase than the rule that denies traffic.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy
Question #:99

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a
forward trust certificate have? (Choose two.)
A. A subject alternative name
B. A private key
C. A server certificate
D. A certificate authority (CA) certificate
Answer: B D
Explanation
The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:
B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the
decrypted sessions. The private key must be securely stored on the firewall and not shared with
anyone1.
D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the
certificates for the decrypted sessions. The CA certificate must be trusted by the client browsers and
devices that receive the certificates from the firewall1.
Question #:100
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and
install the CA certificate, and clearly notify them that their traffic will be decrypted?
A. Authentication Portal
B. SSL Decryption profile
C. SSL decryption policy
D. comfort pages
Answer: A
Explanation
An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to
download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An
authentication portal is a web page that the firewall displays to users who need to authenticate before
accessing the network or the internet. The authentication portal can be customized to include a welcome
message, a login prompt, a disclaimer, a certificate download link, and a logout button. The authentication

portal can also be configured to use different authentication methods, such as local database, RADIUS,
LDAP, Kerberos, or SAML1. By using an authentication portal, the firewall can redirect BYOD users to a
web page where they can learn about the decryption policy, download and install the CA certificate, and agree
to the terms of use before accessing the network or the internet2.
An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them
how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An
SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it
decrypts. An SSL decryption profile can include settings such as certificate verification, unsupported protocol
handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not
provide any user identification or notification functions.
An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them
how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An
SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various
criteria, such as source and destination zones, addresses, users, applications, services, etc. An SSL decryption
policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL
Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or
notification functions.
Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to
download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort
pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to
security policy or technical reasons. Comfort pages can include information such as the reason for blocking or
failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do
not provide any user identification or notification functions before decrypting the traffic.
References: Configure an Authentication Portal, Redirect Users Through an Authentication Portal, SSL
Decryption Profile, Decryption Policy, Comfort Pages

How to Implement SSH Decryption on a Palo Alto Networks Device
Question #:101
A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver
hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP
address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?
A. None
B. Outside
C. DMZ
D. Inside
Answer: D
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples
/destination-nat-exampleone-to-one-mapping
Question #:102
A network security administrator has an environment with multiple forms of authentication. There is a
network access control system in place that authenticates and restricts access for wireless users, multiple
Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices
have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
A. Captive portal
B. Standalone User-ID agent
C. Syslog listener
D. Agentless User-ID with redistribution
Answer: C
Explanation
A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment
with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to
receive syslog messages from other systems and parse them for IP address-to-username mappings. A syslog
listener can collect user mapping information from a variety of sources, such as network access control
systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2. A
syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS,
iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-
ID deployment in a large-scale network. References: Configure a Syslog Listener for User Mapping, User-ID
Agent Deployment Guide, PCNSE Study Guide (page 48)
Question #:103
A network security engineer needs to ensure that virtual systems can communicate with one another within a
Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.
In addition to confirming security policies, which three configuration details should the engineer focus on to
ensure communication between virtual systems? {Choose three.)
A. External zones with the virtual systems added.
B. Layer 3 zones for the virtual systems that need to communicate.
C. Add a route with next hop set to none, and use the interface of the virtual systems that need to
communicate.
D. Add a route with next hop next-vr by using the VR configured in the virtual system.
E. Ensure the virtual systems are visible to one another.
Answer: A D E
Explanation
For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when
separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and
security policy enforcement. The key aspects to focus on include:

A. External zones with the virtual systems added:
External zones are special types of zones that are used to facilitate traffic flow between virtual systems
within the same physical firewall. By adding virtual systems to an external zone, you enable them to
communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.
D. Add a route with next hop next-vr by using the VR configured in the virtual system:
When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by
adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys.
This setup enables traffic to be routed from one virtual system's VR to another, facilitating
communication between them.
E. Ensure the virtual systems are visible to one another:
Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves
configuring the virtual systems in a way that they are aware of each other's existence. This is typically
managed in the vSys settings, where you can specify which virtual systems can communicate with each
other.
By focusing on these configuration details, the network security engineer can ensure that the virtual systems
can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.
Question #:104
Which server platforms can be monitored when a company is deploying User-ID through server monitoring in
an environment with diverse directory services?
A. Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server
B. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
C. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange
D. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory
Answer: C
Explanation
When deploying User-ID in environments with diverse directory services, Palo Alto Networks firewalls have
the capability to monitor several types of servers to gather user mapping information. Among the options
provided:
C. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange:
Red Hat Linux: Palo Alto Networks User-ID can monitor Linux systems to gather user information,
typically by integrating with services like syslog or by using an agent that reads user login events.

Microsoft Active Directory: This is one of the most common sources for User-ID, as Active Directory
is widely used for user management and authentication. User-ID can directly integrate with Active
Directory to read security event logs, capturing user login and logout events.
Microsoft Exchange: While not directly monitored for user login events, Microsoft Exchange can be a
source of IP-to-user mapping information, especially for users accessing email services. This can be
achieved by parsing Exchange logs for client access information.
These platforms can provide valuable data for User-ID, enabling the firewall to apply policies based on user
identity across diverse network environments.
Question #:105
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None
of the peer addresses are known
What can the administrator configure to establish the VPN connection?
A. Set up certificate authentication.
B. Use the Dynamic IP address type.
C. Enable Passive Mode
D. Configure the peer address as an FQDN.
Answer: B
Explanation
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can
enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer
device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate
authentication, would require the administrator to know the peer device's certificate. Option C, using the
Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address.
Option D, configuring the peer address as an FQDN, would require the administrator to know the peer
device's fully qualified domain name.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
Question #:106
A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the
engineer use to gather information about the application patterns'? (Choose two.)
A. Traffic logs
B. Data filtering logs
C.

C. Policy Optimizer
D. Wireshark
Answer: D
Question #:107
As a best practice, logging at session start should be used in which case?
A. While troubleshooting
B. Only on Deny rules
C. On all Allow rules
D. Only when log at session end is enabled
Answer: A
Question #:108
Which statement regarding HA timer settings is true?
A. Use the Recommended profile for typical failover timer settings
B. Use the Moderate profile for typical failover timer settings
C. Use the Aggressive profile for slower failover timer settings.
D. Use the Critical profile for faster failover timer settings.
Answer: A
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers
Question #:109
What can the Log Forwarding built-in action with tagging be used to accomplish?
A. Block the source zones of selected unwanted traffic.
B. Block the destination IP addresses of selected unwanted traffic.
C. Forward selected logs to the Azure Security Center.
D.

D. Block the destination zones of selected unwanted traffic.
Answer: B
Explanation
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated
actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be
used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the
destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic
to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a
policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' "PAN-OS® Administrator’s Guide" provides information
on log forwarding and automated actions.
Question #:110
An engineer has been given approval to upgrade their environment to the latest version of PAN-OS.
The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors.
What is the recommended order of operational steps when upgrading?
A. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
B. Upgrade the firewalls, upgrade log collectors, upgrade Panorama
C. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls
D. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors
Answer: C
Explanation
When planning an upgrade in an environment that includes Panorama, firewalls, and log collectors, it's crucial
to follow the recommended sequence to ensure compatibility and minimize disruptions. Palo Alto Networks
recommends the following order:
Upgrade Panorama: Start with Panorama because it's the central management platform. Upgrading
Panorama first ensures that it's compatible with the new PAN-OS versions that the managed devices
(firewalls and log collectors) will be upgraded to. Panorama must be able to support the new versions
for it to manage and monitor the devices effectively.
Upgrade the log collectors: Next, upgrade the log collectors. Since log collectors work closely with
Panorama to aggregate and store logs from the firewalls, they should be upgraded after Panorama to
ensure compatibility. Upgrading the log collectors ensures they can handle the log formats and features
introduced in the new PAN-OS version.

Upgrade the firewalls: Finally, upgrade the firewalls. The firewalls are the last components to be
upgraded to ensure that they remain compatible with the management and log collection infrastructure.
Upgrading the firewalls last minimizes the risk of compatibility issues with Panorama and log collectors.
This sequence ensures that all components are compatible and that the management and logging infrastructure
can fully support the firewalls running the latest PAN-OS version.
Question #:111
Which type of zone will allow different virtual systems to communicate with each other?
A. Tap
B. External
C. Virtual Wire
D. Tunnel
Answer: B
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-
systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
Question #:112
Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls
inside the DATACENTER_DG device group?
A. shared pre-rules
DATACENTER DG pre rules
rules configured locally on the firewall
shared post-rules

DATACENTER_DG post-rules
DATACENTER.DG default rules
B. shared pre-rules
DATACENTER_DG pre-rules
shared post-rules
DATACENTER.DG post-rules
shared default rules
C. shared pre-rules
shared post-rules
shared default rules
D. shared pre-rules
shared post-rules
DATACENTER_DG default rules
Answer: A
Question #:113
An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u:
‘The company uses four Microsoft Active ‘servers and two Microsoft Exchange servers, which can provide

logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27.
The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48
/28. What the 0 the User
A. network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.40/28
Exchange
B. network 192.188 28 32/27 with server type Microsoft
C. one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically
obtain all five of the other servers
D. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for
each of the six servers
Answer: D
Question #:114
Which feature of Panorama allows an administrator to create a single network configuration that can be
reused repeatedly for large-scale deployments even if values of configured objects, such as routes and
interface addresses, change?
A. the 'Shared' device group
B. template stacks
C. a device group
D. template variables
Answer: D
Question #:115
Which new PAN-OS 11.0 feature supports IPv6 traffic?
A. DHCPv6 Client with Prefix Delegation
B. OSPF
C. DHCP Server
D. IKEv1
Answer: A
Explanation

https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table
Question #:116
A firewall engineer is configuring quality of service (OoS) policy for the IP address of a specific server in an
effort to limit the bandwidth consumed by frequent downloads of large files from the internet.
Which combination of pre-NAT and / or post-NAT information should be used in the QoS rule?
A. Post-NAT source IP address Pre-NAT source zone
B. Post-NAT source IP address Post-NAT source zone
C. Pre-NAT source IP address Post-NAT source zone
D. Pre-NAT source IP address Pre-NAT source zone
Answer: D
Explanation
When configuring Quality of Service (QoS) policies, particularly for traffic going to or from specific IP
addresses and involving NAT, it's important to base the rule on how the firewall processes the traffic. For
QoS, the firewall evaluates traffic using pre-NAT IP addresses and zones because QoS policies typically need
to be applied before the NAT action occurs. This is especially true for inbound traffic, where the goal is to
limit bandwidth before the destination IP is translated.
The correct combination for a QoS rule in this scenario, where the aim is to limit bandwidth for downloads
from a specific server (implying inbound traffic to the server), would be:
D. Pre-NAT source IP address Pre-NAT source zone:
Pre-NAT source IP address: This refers to the original IP address of the client or source device before
any NAT rules are applied. Since QoS policies are evaluated before NAT, using the pre-NAT IP
address ensures that the policy applies to the correct traffic.
Pre-NAT source zone: This is the zone associated with the source interface before NAT takes place.
Using the pre-NAT zone ensures that the QoS policy is applied to traffic as it enters the firewall, before
any translations or routing decisions are made.
By configuring the QoS rule with pre-NAT information, the firewall can accurately apply bandwidth
limitations to the intended traffic, ensuring efficient use of network resources and mitigating the impact of
large file downloads from the specified server.
For detailed guidelines on configuring QoS policies, refer to the Palo Alto Networks documentation, which
provides comprehensive instructions and best practices for managing bandwidth and traffic priorities on the
network.
Question #:117

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter
firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the
administrator assign these settings through the use of template stacks?
A. Create one template stack and place the BranchOffice_Template in higher priority than
Datacenter_Template.
B. Create one template stack and place the Datanceter_Template in higher priority than
BranchOffice_template.
C. Create two separate template stacks one each for Datacenter and BranchOffice, and verify that
Datacenter_Template and BranchOffice_template are at the bottom of their stack.
D. Create two separate template stacks one each for Datacenter and BranchOffice, and verify that
Datacenter_template are at the top of their stack
Answer: D
Question #:118
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
A. Deny
B. Discard
C. Allow
D. Next VR
Answer: B
Explanation
Set the Action to take when matching a packet:
Forward—Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)—Select the virtual system to which to
forward the packet.
Discard—Drops the packet.
No PBF—Excludes packets that match the criteria for source, destination, application, or service defined in
the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the
matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-
based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c

Question #:119
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and
Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured
containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'
A. Active-Secondary
B. Non-functional
C. Passive
D. Active
Answer: D
Question #:120
Exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security
management platforms The network team has reported excessive traffic on the corporate WAN How could the
Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing
monitoring/security platforms?
A. Any configuration on an M-500 would address the insufficient bandwidth concerns
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the
NGFW
C.

C. Configure log compression and optimization features on all remote firewalls
D. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external
services.
Answer: D
Question #:121
An engineer configures a specific service route in an environment with multiple virtual systems instead of
using the inherited global service route configuration.
What type of service route can be used for this configuration?
A. IPv6 Source or Destination Address
B. Destination-Based Service Route
C. IPv4 Source Interface
D. Inherit Global Setting
Answer: C
Explanation
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/virtual-systems/customize-service-routes-for-a-
virtual-system/customize-service-routes-to-services-for-virtual-systems
Question #:122
A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A
company employee receives an email containing an unknown link that downloads a malicious Portable
Executable (PE) file.
What does Advanced WildFire do when the link is clicked?
A. Performs malicious content analysis on the linked page, but not the corresponding PE file.
B. Performs malicious content analysis on the linked page and the corresponding PE file.
C. Does not perform malicious content analysis on either the linked page or the corresponding PE file.
D. Does not perform malicious content analysis on the linked page, but performs it on the corresponding
PE file.
Answer: D
Explanation

Palo Alto Networks' WildFire service is designed to perform advanced analysis on files to identify and protect
against new and evolving threats. When a WildFire analysis profile is configured to forward any file type to
the WildFire public cloud, the service analyzes files that pass through the firewall based on the policy
configuration.
D. Does not perform malicious content analysis on the linked page, but performs it on the
corresponding PE file:
When a user clicks on an unknown link that downloads a Portable Executable (PE) file, WildFire's
primary focus is on the file itself rather than the webpage from which it originated. The service analyzes
the PE file to determine if it contains malicious content. This analysis includes static and dynamic
inspection techniques to uncover any malicious behavior.
The webpage hosting the link may not be analyzed as part of this process unless specific protections or
URL filtering policies are in place that trigger such an analysis. The primary concern in this scenario is
the PE file, which is directly analyzed by WildFire for malicious content.
By focusing on the files that could pose a direct threat to the network, WildFire provides a robust mechanism
for identifying and mitigating potential security risks associated with file downloads.
Question #:123
An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious
activity.
The profile is configured to provide granular defense against targeted flood attacks for specific critical
systems that are accessed by users from the internet.
Which profile is the engineer configuring?
A. Packet Buffer Protection
B. Zone Protection
C. Vulnerability Protection
D. DoS Protection
Answer: D
Explanation
The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against
malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-
of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection
profile can provide granular defense against targeted flood attacks for specific critical systems that are
accessed by users from the internet, such as web servers, DNS servers, or VPN gateways. A DoS Protection

profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and
can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other
IP floods12. References: DoS Protection, PCNSE Study Guide (page 58)
Question #:124
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to
respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be
configured on the firewall?
A. NAT Rule:
Source Zone: Trust -
Source IP: Any -
Destination Zone: Server -
Destination IP: 172.16.15.10 -
Source Translation: Static IP / 172.16.15.1
Security Rule:
Source IP: Any -
Destination Zone: Trust -
Application: ssh
B. NAT Rule:
Source IP: 192.168.15.0/24 -
Destination Translation: Static IP / 172.16.15.10
Security Rule:

Source IP: 192.168.15.0/24 -
Application: ssh
C. NAT Rule:
Source IP: Any -
Destination Translation: Static IP /172.16.15.10
Security Rule:
Source IP: Any -
Application: ssh
D. NAT Rule:
Source IP: Any -
Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:
Source IP: Any -

Application: ssh
Answer: D
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat
/source-nat
Question #:125
A company is expanding its existing log storage and alerting solutions All company Palo Alto Networks
firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS
support? (Choose two)
A. SSL
B. TLS
C. HTTP
D. Email
Answer: C D
Question #:126
Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone
access to a server in the same zone by using an external,
public NAT IP for that server.
Given the rule below, what change should be made to make sure the NAT works as expected?


A. Change destination NAT zone to Trust_L3.
B. Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.
C. Change Source NAT zone to Untrust_L3.
D. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.
Answer: D
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
Question #:127
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.
What part of the configuration should the engineer verify?
A. IKE Crypto Profile
B. Security policy
C. Proxy-IDs
D. PAN-OS versions
Answer: C
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.
paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789
Question #:128
What must be configured to apply tags automatically based on User-ID logs?

A. Device ID
B. Log Forwarding profile
C. Group mapping
D. Log settings
Answer: D
Explanation
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that
specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached
to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the
rule. The tags can then be used for dynamic address groups, policy enforcement, or
reporting1. References: Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)
Question #:129
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon
opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can
the administrator do to limit the captured traffic to the newly configured filter?
A. Command line > debug dataplane packet-diag clear filter-marked-session all
B. In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface
C. Command line> debug dataplane packet-diag clear filter all
D. In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude"
Answer: C
Question #:130
An administrator needs to assign a specific DNS server to an existing template variable. Where would the
administrator go to edit a template variable at the device level?
A. "Managed Devices > Device Association"
B. PDF Export under "Panorama > Templates"
C. Variable CSV export under "Panorama > Templates"
D. Manage variables under "Panorama > Templates"
Answer: D

Question #:131
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and
pushed to the devices at the end of the day at a certain time. How can they achieve this?
A. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
B. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to
commit all Panorama changes.
C. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to
commit all Panorama changes
D. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices
Answer: A
Question #:132
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a
DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address
assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to
work? (Choose two.)
Site A configuration:
A. Enable NAT Traversal on Site B firewall
B. Configure Local Identification on Site firewall
C. Disable passive mode on Site A firewall
D. Match IKE version on both firewalls.
Answer: C D
Explanation
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode
is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE
negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP,
it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel
establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1
to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that
this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with
dynamic peering not working.
Question #:133
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption
roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website
warnings.
What is the cause of the unsecured website warnings?
A. The forward untrust certificate has not been signed by the self-singed root CA certificate.
B. The forward trust certificate has not been installed in client systems.
C. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
D. The forward trust certificate has not been signed by the self-singed root CA certificate.
Answer: D
Explanation
The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the
self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the
server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the
forward trust certificate and presents it to the client. The client then verifies the signature using the public key
of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning
message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this
case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should
be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate
has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This
causes the client to reject the signature and show a warning message. To fix this issue, the administrator
should generate a new forward trust certificate and sign it with the self-signed root CA
certificate12. References: Keys and Certificates for Decryption Policies, How to Configure SSL Decryption
Question #:134

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user
mappings should always be explicitly known?
A. PAN-OS integrated User-ID agent
B. GlobalProtect
C. Windows-based User-ID agent
D. LDAP Server Profile configuration
Answer: B
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping
/globalprotect.html
GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user
connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-
user mappings are explicitly known.
Question #:135
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight
Unused Rules and the Rule Usage Hit counters immediately after a reboot?
A. Highlight Unused Rules will highlight all rules.
B. Highlight Unused Rules will highlight zero rules.
C. Rule Usage Hit counter will not be reset
D. Rule Usage Hit counter will reset
Answer: A C
Question #:136
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?
A. Initial
B. Tentative
C. Passive
D.

D. Active-secondary
Answer: B
Explanation
In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored
path, it enters the “Tentative” state1. This state indicates that the firewall is synchronizing sessions and
configurations from its peer due to a failure or a change in monitored objects such as a link or path. The
firewall in this state is not fully functional but is working towards resuming normal operations by syncing
with its peer. Therefore, the correct answer is B. Tentative.
Firewall Stuck in Initial (Leaving Suspended State) - Palo Alto Networks
Question #:137
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also
plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the
original destination IP address and translated destination IP address configured for the rule. The engineer
wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.
What should the engineer do to complete the configuration?
A. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the
destination port equal to UDP/53.
B. Enable DNS rewrite under the destination address translation in the Translated Packet section of the
NAT rule with the direction Forward.
C. Enable DNS rewrite under the destination address translation in the Translated Packet section of the
NAT rule with the direction Reverse.
D. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the
destination port equal to UDP/53.

Answer: B
Explanation
If the DNS response matches the Original Destination Address in the rule, translate the DNS response using
the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the
firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1
/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-
cases#id0d85db1b-05b9-4956-a467-f71d558263bb
Question #:138
A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama
manages a number of PA-7000 Series and PA-5200 Series devices All device group and template
configuration is managed solely within Panorama
They notice that commit times have drastically increased for the PA-220S after the migration
What can they do to reduce commit times?
A. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.
B. Update the apps and threat version using device-deployment
C. Perform a device group push using the "merge with device candidate config" option
D. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama
config.
Answer: A
Explanation
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups
/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
Question #:139
Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

A. The User-ID agent is connected to a domain controller labeled lab-client
B. The host lab-client has been found by a domain controller
C. The host lab-client has been found by the User-ID agent.
D. The User-ID aaent is connected to the firewall labeled lab-client
Answer: A
Question #:140
A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A
best-practice action taken by the engineer is configure an applications and Threats update schedule with a new
App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with
regard to dynamic updates? (Choose two.)
A. Create a Security policy rule with an application filter to always allow certain categories of new App-
IDs.
B. Click "Review Apps" after application updates are installed in order to assess how the changes might
impact Security policy.
C.

C. Select the action "download-only" when configuring an Applications and Threats update schedule.
D. Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours
Answer: B C
Question #:141
An administrator needs to gather information about the CPU utilization on both the management plane and the
data plane. Where does the administrator view the desired data?
A. Support > Resources
B. Application Command and Control Center
C. Resources Widget on the Dashboard
D. Monitor > Utilization
Answer: C
Question #:142
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain,
and application?
A. No Direct Access to local networks
B. Tunnel mode
C. iPSec mode
D. Satellite mode
Answer: B
Explanation
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-
traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
Question #:143
An administrator needs to identify which NAT policy is being used for internet traffic.
From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for
a traffic flow?
A.

A. Click Session Browser and review the session details.
B. Click Traffic view and review the information in the detailed log view.
C. Click Traffic view; ensure that the Source or Destination NAT columns are included and review the
information in the detailed log view.
D. Click App Scope > Network Monitor and filter the report for NAT rules.
Answer: A
Explanation
Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is
in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed
log view1. The Source NAT column shows the translated source IP address and port, and the Destination
NAT column shows the translated destination IP address and port2. These columns can help the administrator
identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and
ports.
Question #:144
A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client
currently uses RADIUS authentication in their environment
Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose
two.)
A. Kerberos or SAML authentication need to be configured
B. LDAP or TACACS+ authentication need to be configured
C. RADIUS is only supported for a transparent Web Proxy.
D. RADIUS is not supported for explicit or transparent Web Proxy
Answer: A D
Explanation
For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML
as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on
Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to
configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly
supported for Web Proxy authentication in PAN-OS.For more information on supported Web Proxy
authentication methods, please refer to the latest Palo Alto Networks "PAN-OS® Web Interface Reference
Guide".
Question #:145

Which two statements correctly describe Session 380280? (Choose two.)
A. The session went through SSL decryption processing.
B. The session has ended with the end-reason unknown.
C. The application has been identified as web-browsing.
D. The session did not go through SSL decryption processing.
Answer: A C
Question #:146
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
A. 1

B. 2
C. 3
D. 4
Answer: D
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
Question #:147
Which three statements accurately describe Decryption Mirror? (Choose three.)
A. Decryption Mirror requires a tap interface on the firewall
B. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to
harvest sensitive information that is submitted via an encrypted channel
C. Only management consent is required to use the Decryption Mirror feature.
D. Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.
E. You should consult with your corporate counsel before activating and using Decryption Mirror in a
production environment.
Answer: B D E
Explanation
Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to
an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is
that if the firewall administrator's credentials are compromised, a malicious user could potentially access
sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.
Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS
encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best
practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to
understand the implications and ensure that the use of such features does not violate privacy laws or
regulatory requirements.
The need for administrative consent and the legal implications of using Decryption Mirror features are
outlined in Palo Alto Networks' "PAN-OS® Administrator’s Guide" and best practice documentation. It is not
specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is
incorrect because it is not just management consent but legal compliance that needs to be considered.

Question #:148
During the process of developing a decryption strategy and evaluating which websites are required for
corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons.
In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if
decrypted.
How should the engineer proceed?
A. Install the unsupported cipher into the firewall to allow the sites to be decrypted
B. Allow the firewall to block the sites to improve the security posture.
C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption.
D. Create a Security policy to allow access to those sites.
Answer: C
Explanation
If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is
not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them
from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL
decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or
unsupported cipher suites. The engineer can also add custom sites to the list if they have a valid business
reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion
list will allow the traffic to pass through without being decrypted or blocked by the firewall. References: SSL
Decryption Exclusion, Troubleshoot Unsupported Cipher Suites
Question #:149
An administrator would like to determine which action the firewall will take for a specific CVE. Given the
screenshot below, where should the administrator navigate to view this information?
A. The profile rule action
B. CVE column
C. Exceptions lab
D. The profile rule threat name
Answer: C
Explanation
The Exceptions settings allows you to change the response to a specific signature. For example, you can block
all packets that match a signature, except for the selected one, which generates an alert. The Exception tab
supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select "Show all signatures".
From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC
Question #:150
An engineer is configuring a firewall with three interfaces:
• MGT connects to a switch with internet access.
• Ethernet1/1 connects to an edge router.
• Ethernet1/2 connects to a visualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should
be configured in Setup > Services > Service Route Configuration to allow this traffic?
A. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.
B. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.
C. Set DNS and Palo Alto Networks Services to use the MGT source interface.
D. Set DDNS and Palo Alto Networks Services to use the MGT source interface.
Answer: A
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
Question #:151
A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all
three contractors will be working with different device-groups in their hierarchy to deploy policies and objects
Which type of role-based access is most appropriate for this project?
A. Create a Dynamic Read only superuser.
B. Create a Dynamic Admin with the Panorama Administrator role
C. Create a Device Group and Template Admin
D. Create a Custom Panorama Admin
Answer: C

Explanation
Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama
that an administrator can access. You can hide tabs in the web interface, you can set specific items in
Panorama to read-only, or you can limit an administrator’s access to Panorama plugins. Custom Panorama
Admin roles require planning and configuration, but they provide extensive flexibility because you can
control what administrators can access through the web interface or the CLI. Device Group and Template
Admin: Device Group and Template Admin roles also require configuration because there are no built-in
examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an
administrator can access and configure. You can hide tabs in the web interface or set specific items to read
only to control what administrators can configure.
Question #:152
Why would a traffic log list an application as "not-applicable”?
A. The firewall denied the traffic before the application match could be performed.
B. The TCP connection terminated without identifying any application data
C. There was not enough application data after the TCP connection was established
D. The application is not a known Palo Alto Networks App-ID.
Answer: A
Explanation
traffic log would list an application as “not-applicable” if the firewall denied the traffic before the application
match could be performed. This can happen if the traffic matches a security rule that is set to deny based on
any parameter other than the application, such as source, destination, port, service, etc1. In this case, the
firewall does not inspect the application data and discards the traffic, resulting in a “not-applicable” entry in
the application field of the traffic log1.
Question #:153
A root cause analysis investigation into a recent security incident reveals that several decryption rules have
been disabled. The security team wants to generate email alerts when decryption rules are changed.
How should email log forwarding be configured to achieve this goal?
A. With the relevant configuration log filter inside Device > Log Settings
B. With the relevant system log filter inside Objects > Log Forwarding
C. With the relevant system log filter inside Device > Log Settings
D. With the relevant configuration log filter inside Objects > Log Forwarding

Answer: C
Explanation
To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would
configure email log forwarding based on specific system logs that capture changes to decryption policies. This
is done by setting up log forwarding profiles with filters that match events related to decryption rule
modifications. These profiles are then applied to the relevant log types within the firewall's log settings.
To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings
section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture
configuration changes among other system-level events. By creating a filter that looks for logs associated with
decryption rule changes, and associating this filter with an email server profile, the firewall can automatically
send out email alerts whenever a decryption rule is modified.
This setup ensures that the security team is promptly notified of any changes to the decryption policies,
allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of
maintaining the security posture of the network and ensuring compliance with organizational policies on
encrypted traffic inspection.
Question #:154
A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication?
(Choose three.)
A. Minimum TLS version
B. Certificate
C. Encryption Algorithm
D. Maximum TLS version
E. Authentication Algorithm
Answer: A B D
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-
service-profile
Question #:155
An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest
PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A. Export the log database.
B. Use the import option to pull logs.
C. Use the scp logdb export command.
D. Use the ACC to consolidate the logs.
Answer: A
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-
and-export-files/export-and-import-a-complete-log-database-logdb
Question #:156
A remote administrator needs access to the firewall on an untrust interface. Which three options would you
configure on an interface Management profile to secure management access? (Choose three)
A. HTTPS
B. SSH
C. Permitted IP Addresses
D. HTTP
E. User-IO
Answer: A B C
Question #:157
What is the best definition of the Heartbeat Interval?
A. The interval in milliseconds between hello packets
B. The frequency at which the HA peers check link or path availability
C. The frequency at which the HA peers exchange ping
D. The interval during which the firewall will remain active following a link monitor failure
Answer: C

Explanation
The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall
is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the
firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls
are connected and responsive.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK
"A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms
minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA
control link." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK
Question #:158
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a
managed firewall?
A. Panorama provides information about system resources of the managed devices in the Managed Device
> Health menu.
B. Firewalls send SNMP traps to Panorama wen resource exhaustion is detected Panorama generates a
system log and can send email alerts.
C. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when
resource exhaustion is detected on a managed firewall.
D. Panorama provides visibility all the system and traffic logs received from firewalls it does not offer any
ability to see or monitor resource utilization on managed firewalls
Answer: A
Question #:159
Which log type is supported in the Log Forwarding profile?
A. Configuration
B. GlobalProtect
C. Tunnel
D. User-ID
Answer: C
Question #:160

Which template values will be configured on the firewall if each template has an SSL to be deployed. The
template stack should consist of four templates arranged according to the diagram.
Which template values will be configured on the firewall if each template has an SSL/TLS Service profile
configured named Management?
A. Values in Datacenter
B. Values in efwOlab.chi
C. Values in Global Settings
D. Values in Chicago
Answer: D
Explanation
The template stack should consist of four templates arranged according to the diagram. The template values
that will be configured on the firewall if each template has an SSL/TLS Service profile configured named
Management will be the values in Chicago. This is because the SSL/TLS Service profile is configured in the
Chicago template, which is the highest priority template in the stack. The firewall will inherit the settings
from the highest priority template that has the setting configured, and ignore the settings from the lower
priority templates that have the same setting configured. Therefore, the values in Datacenter, efwOlab.chi, and
Global Settings will not be applied to the firewall. References:
[Manage Templates and Template Stacks]
[Template Stack Configuration]
[Template Stack Priority]
Question #:161
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature
of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server
and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
A. DNS proxy
B. Explicit proxy
C. SSL forward proxy
D. Transparent proxy
Answer: D

Explanation
For the transparent proxy method, the request contains the destination IP address of the web server and the
proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no
client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID
configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not
support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.
paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Question #:162
What is the best description of the Cluster Synchronization Timeout (min)?
A. The maximum time that the local firewall waits before going to Active state when another cluster
member is preventing the cluster from fully synchronizing
B. The time that a passive or active-secondary firewall will wait before taking over as the active or active-
primary firewall
C. The timeframe within which the firewall must receive keepalives from a cluster member to know that
the cluster member is functional
D. The maximum interval between hello packets that are sent to verify that the HA functionality on the
other firewall is operational
Answer: A
Explanation
The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall
waits before going to Active state when another cluster member is preventing the cluster from fully
synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that
share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min)
determines how long the local firewall will wait for the cluster to reach a stable state before it decides to
become Active and process traffic. A stable state means that all cluster members are either Active or Passive,
and have synchronized their sessions with each other. If there is another cluster member that is in an unknown
or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully
synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set
to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait
for any other cluster member and will immediately go to Active state. If it is set to a positive value, then the
local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable
state earlier12. References: Configure HA Clustering, PCNSE Study Guide (page 53)
Question #:163
An engineer is designing a deployment of multi-vsys firewalls.
What must be taken into consideration when designing the device group structure?

A. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have
each vsys in a different device group.
B. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each
vsys in a different device group.
C. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which
must have all its vsys in a single device group.
D. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all
its vsys in a single device group.
Answer: B
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0
A device group is a logical grouping of firewalls that share the same security policy rules. A device group can
contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys
in a different device group, depending on the desired security policy for each vsys. This allows for granular
control and flexibility in managing multi-vsys firewalls with Panorama1. References: Device Group Push to a
Multi-VSYS Firewall, Configure Virtual Systems, PCNSE Study Guide (page 50)
Question #:164
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
A. ECDSA
B. ECDHE
C. RSA
D. DHE
Answer: B D
Explanation
The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE
and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which
means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any
previous keys. This enhances the security of the encrypted communication, but also increases the
computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-
Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands
for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key. Both ECDHE and
DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and
private keys to encrypt and decrypt the session key123. References: Key Exchange Algorithms, Best Practices
for Enabling SSL Decryption, PCNSE Study Guide (page 60)

Question #:165
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is currently processing traffic?
A. Initial
B. Passive
C. Active
D. Active-primary
Answer: D
Question #:166
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between
a client and server to secure an SSL/TLS connection'?
A. certificates
B. profiles
C. link state
D. stateful firewall connection
Answer: A
Question #:167
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
A. Client probing
B. Syslog
C. XFF Headers
D. Server Monitoring
Answer: B C

Explanation
To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of
integrating user information. Syslog parsing allows the firewall to receive syslog messages from external
services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP
requests and proxies, can carry the original IP address of a client connecting through a proxy, and this
information can be used by the firewall to map the user IDs.
Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are
specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and
Server Monitoring are not the correct methods for pulling data from third-party proxies.For further details,
refer to the Palo Alto Networks documentation on User-ID integration and the "PAN-OS® Administrator’s
Guide".
Question #:168
An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings
will be configured on a template named "Global" and will be included in all template stacks.
Which three settings can be configured in this template? (Choose three.)
A. Log Forwarding profile
B. SSL decryption exclusion
C. Email scheduler
D. Login banner
E. Dynamic updates
Answer: B D E
Explanation
A template is a set of configuration options that can be applied to one or more firewalls or virtual systems
managed by Panorama. A template can include settings from the Device and Network tabs on the firewall web
interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be
configured in a template named “Global” and included in all template stacks. A template stack is a group of
templates that Panorama pushes to managed firewalls in an ordered hierarchy4. References: Manage
Templates and Template Stacks, PCNSE Study Guide (page 50)
Question #:169
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New
Applications to monitor new applications on the network and better assess any Security policy updates the
engineer might want to make.

How does the firewall identify the New App-ID characteristic?
A. It matches to the New App-IDs downloaded in the last 90 days.
B. It matches to the New App-IDs in the most recently installed content releases.
C. It matches to the New App-IDs downloaded in the last 30 days.
D. It matches to the New App-IDs installed since the last time the firewall was rebooted.
Answer: B
Explanation
The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the
engineer can better assess the security policy updates they might want to make. The New App-ID
characteristic always matches to only the new App-IDs in the most recently installed content releases. When a
new content release is installed, the New App-ID characteristic automatically begins to match only to the new
App-IDs in that content release version. This way, the engineer can see how the newly-categorized
applications might impact security policy enforcement and make any necessary
adjustments. References: Monitor New App-IDs
Question #:170
Given the following configuration, which route is used for destination 10 10 0 4?
A. Route 2
B. Route 3
C. Route 1
D. Route 4
Answer: A
Question #:171
A network administrator notices a false-positive state after enabling Security profiles. When the administrator
checks the threat prevention logs, the related signature displays the following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this signature?
A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions
tabs Search related threat ID and click enable Commit
B. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile

Select the signature exceptions tab and then click show all signatures Search related threat ID and click
enable Change the default action Commit
C. Navigate to Objects > Security Profiles > Vulnerability Protection
Select related profile
Select the Exceptions lab and then click show all signatures
Search related threat ID and click enable
Commit
D. Navigate to Objects > Security Profiles > Anti-Spyware
Select related profile
Select the Exceptions lab and then click show all signatures
Search related threat ID and click enable Commit
Answer: A
Explanation
When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as
indicated by the category "dns-c2"), the correct course of action involves creating an exception in the Anti-
Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo
Alto Networks firewalls is designed to detect and block spyware threats, which can include command and
control (C2) activities often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles
are listed.
Select the related Anti-Spyware profile that is currently applied to the security policy which is
generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on
DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it.
By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively
treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without disabling the
overall spyware protection capabilities of the firewall.

Question #:172
Which protocol is supported by GlobalProtect Clientless VPN?
A. FTP
B. RDP
C. SSH
D. HTTPS
Answer: D
Explanation
Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and
XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP,
VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware.
In environments that do not include native support for HTML5 or other web application technologies
supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless
VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-
clientless-vpn/supported-technologies
https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html
Question #:173
A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On
the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the
interface used to terminate the IPSec tunnel has a DHCP assigned IP address.
Which two actions are required for this scenario to work? (Choose two.)
A. On the HQ firewall select peer IP address type FQDN
B. On the remote location firewall select peer IP address type Dynamic
C. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel
D. On the remote location firewall enable DONS under the interface used for the IPSec tunnel
Answer: A C
Question #:174

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically
updated?
A. 1 to 4 hours
B. 6 to 12 hours
C. 24 hours
D. 36 hours
Answer: B
Explanation
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that
determines the amount of time the firewall waits before installing the latest content. In a security-first
network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin
/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.
html#id184AH00F06E
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-
for-app-and-threat-content-updates/best-practices-security-first
Question #:175
Which link is responsible for synchronizing sessions between high availability (HA) peers?
A. HA1
B. HA3
C. HA4
D. HA2
Answer: D
Question #:176
A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking
at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall,
the administrator decides to enable packet buffer protection to protect against similar attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer
utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?

A. Apply DOS profile to security rules allow traffic from outside.
B. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
C. Enable packet buffer protection for the affected zones.
D. Add a Zone Protection profile to the affected zones.
Answer: C
Question #:177
‘SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website
https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted”
warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by
well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who
represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https:///www.very-import-website.com/ website.
2. End-users should get the warning for any other untrusted website.
Which approach meets the two customer requirements?
A. Install the Well-Known-intermediate-CA and Well:Known Root-CA certificates on all end-user

systems in the user and local computer stores:
B. Clear the Forward Untrust-CA Certificate check box on the Untrusted-CA certificate= and commit the
configuration
C. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities,
import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the Trusted Root CA check
box, aid commit the configuration.
D. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-known-
Intermediate-CA and Well-Know5-Root-CA, Select the Trusted Root CA check box, and commit the
configuration.
Answer: A
Question #:178
Which operation will impact the performance of the management plane?
A. Decrypting SSL sessions
B. Generating a SaaS Application report
C. Enabling DoS protection
D.

D. Enabling packet buffer protection
Answer: B
Explanation
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD—PART 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK
Question #:179
A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect
Gateway will users connect to based on the chart provided?
A. South
B. West
C. East
D. Central
Answer: C
Explanation
Based on the provided table, the GlobalProtect portal agent configuration includes four gateways with varying
priorities and response times. Users will connect to the gateway with the highest priority and, if multiple
gateways share the same priority, the one with the lowest response time.
Answer Determination
Prioritize by Priority Level:
East: Highest

South: High
West: Medium
Central: Low
Evaluate Response Times Within Each Priority:
East (Highest): 35 ms
South (High): 30 ms
West (Medium): 50 ms
Central (Low): 20 ms
Given the highest priority is "East" with a response time of 35 ms, users will connect to the East gateway
based on the highest priority.
Question #:180
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to
critical infrastructure systems. However, a recent phishing campaign against the organization has prompted
Information Security to look for more controls that can secure access to critical assets. For users that need to
access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA)
integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?
A. Configure a Captive Portal authentication policy that uses an authentication sequence.
B. Configure a Captive Portal authentication policy that uses an authentication profile that references a
RADIUS profile.
C. Create an authentication profile and assign another authentication factor to be used by a Captive Portal
authentication policy.
D. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.
Answer: C
Question #:181
Where can a service route be configured for a specific destination IP?
A. Use Netw ork > Virtual Routers, select the Virtual Router > Static Routes > IPv4
B.

B. Use Device > Setup > Services > Services
C. Use Device > Setup > Services > Service Route Configuration > Customize > Destination
D. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4
Answer: C
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0
Question #:182
What type of address object would be useful for internal devices where the addressing structure assigns
meaning to certain bits in the address, as illustrated in the diagram?
A. IP Netmask
B. IP Wildcard Mask
C. IP Address
D. IP Range
Answer: B
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-
addresses/address-objects
Question #:183
With the default TCP and UDP settings on the firewall, what will be the identified application in the
following session?

A. Incomplete
B. unknown-tcp
C. Insufficient-data
D. not-applicable
Answer: D
Explanation
Traffic didnt match any other policies and so landed at the implicit "deny all" policy. If it's deny all, the traffic
was dropped before the application could be determined. https://knowledgebase.paloaltonetworks.com
/KCSArticleDetail?id=kA10g000000ClibCAC
Question #:184
After switching to a different WAN connection, users have reported that various websites will not load, and
timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users
behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream
router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.
Which setting should be modified on ethernet1/1 to remedy this problem?
A. Lower the interface MTU value below 1500.
B. Enable the Ignore IPv4 Don't Fragment (DF) setting.
C. Change the subnet mask from /23 to /24.
D. Adjust the TCP maximum segment size (MSS) value. *
Answer: D
Question #:185
Which three external authentication services can the firewall use to authenticate admins into the Palo Alto
Networks NGFW without creating administrator account on the firewall? (Choose three.)
A. RADIUS
B. TACACS+
C. Kerberos
D. LDAP
E. SAML
Answer: A B E
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-
administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,
attributes%20on%20the%20SAML%20server.
Question #:186
Which log type would provide information about traffic blocked by a Zone Protection profile?
A. Data Filtering
B.

B. IP-Tag
C. Traffic
D. Threat
Answer: D
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC
D is the correct answer because the threat log type would provide information about traffic blocked by a
Zone Protection profile. This is because Zone Protection profiles are used to protect the network from
attacks, including common flood, reconnaissance attacks, and other packet-based attacks1. These
attacks are classified as threats by the firewall and are logged in the threat log2. The threat log displays
information such as the source and destination IP addresses, ports, zones, applications, threat types,
actions, and severity of the threats2.
Verified References:
1: Zone protection profiles - Palo Alto Networks Knowledge Base
2: Threat Log Fields - Palo Alto Networks
Question #:187
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator
determines that the lifetime needs to be changed to match the peer. Where should this change be made?
A. IPSec Tunnel settings
B. IKE Crypto profile
C. IPSec Crypto profile
D. IKE Gateway profile
Answer: C
Question #:188
Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked
User Activity, and locate the user(s) that could be compromised by a botnet?
A. Click the hyperlink for the Zero Access.Gen threat.
B.

B. Click the left arrow beside the Zero Access.Gen threat.
C. Click the source user with the highest threat count.
D. Click the hyperlink for the hotport threat Category.
Answer: B
Explanation
Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center
/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9
Question #:189
An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured
via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place
of the template value.
Which two actions can be taken to ensure that only the specific firewall is affected during this process?
(Choose two )
A. Configure the DNS server locally on the firewall.
B. Change the DNS server on the global template.
C. Override the DNS server on the template stack.
D. Configure a service route for DNS on a different interface.
Answer: A C
Explanation
To override a device and network setting applied by a template, you can either configure the setting locally on
the firewall or override the setting on the template stack. Configuring the setting locally on the firewall will
copy the setting to the local configuration of the device and will no longer be controlled by the template.
Overriding the setting on the template stack will apply the setting to all the firewalls that are assigned to the
template stack, unless the setting is also overridden locally on a firewall. Changing the setting on the global
template will affect all the firewalls that inherit the setting from the template, which is not desirable in this
scenario. Configuring a service route for DNS on a different interface will not change the DNS server address,
but only the interface that the firewall uses to reach the DNS server. References:
Override a Template Setting
How to override panorama pushed template configuration on the local firewall
Overriding Panorama Template settings

Question #:190
What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?
A. Phase 1 and Phase 2 SAs are synchronized over HA3 links.
B. Phase 2 SAs are synchronized over HA2 links.
C. Phase 1 and Phase 2 SAs are synchronized over HA2 links.
D. Phase 1 SAs are synchronized over HA1 links.
Answer: B
Explanation
In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel
Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure
communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is
dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information
between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately
take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining
secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for
establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-
established upon failover to ensure secure key exchange.
Question #:191
An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high
availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when
the link failed?

A. The active firewall failed over to the passive HA member because "any" is selected for the Link
Monitoring
B. No action was taken because Path Monitoring is disabled
C. No action was taken because interface ethernet1/1 did not fail
D. The active firewall failed over to the passive HA member due to an AE1 Link Group failure
Answer: C
Question #:192
A system administrator runs a port scan using the company tool as part of vulnerability check. The
administrator finds that the scan is identified as a threat and is dropped by the firewall. After further
investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
A. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection
profile.
B. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone
protection profile.

C. Change the TCP port scan action from Block to Alert in the Zone Protection profile.
D. Remove the Zone protection profile from the zone setting.
Answer: B
Question #:193
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and
the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the
firewall?
A. Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.
B. Use the highest TLS protocol version to maximize security.
C. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.
D. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
Answer: C
Explanation
Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits,
optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption
algorithms that require less computational power.
C. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:
Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes
compared to RSA for a comparable level of security. This translates to less computational overhead
during the encryption and decryption processes.
By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the
processing load associated with decryption on the firewall. This is particularly beneficial in scenarios
where resource optimization is necessary.
It's important to note that this approach does not compromise the security of encrypted traffic. Instead,
it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall
performance even when system resources are under significant demand.
By judiciously applying this strategy, administrators can manage the decryption workload on the firewall,
ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's
resources.

Question #:194
Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?
A. On Palo Alto Networks Update Servers
B. M600 Log Collectors
C. Cortex Data Lake
D. Panorama
Answer: C
Explanation
Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is
stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device
health, and other operational metrics that are crucial for the continuous improvement of security services and
threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it
is used to enhance the overall effectiveness of threat identification and prevention capabilities across all
deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient
against emerging threats.
Question #:195
A company is deploying User-ID in their network. The firewall team needs to have the ability to see and
choose from a list of usernames and user groups directly inside the Panorama policies when creating new
security rules.
How can this be achieved?
A. By configuring Data Redistribution Client in Panorama > Data Redistribution
B. By configuring User-ID group mapping in Panorama > User Identification
C. By configuring User-ID source device in Panorama > Managed Devices
D. By configuring Master Device in Panorama > Device Groups
Answer: B
Explanation
To enable the firewall team to view and select from a list of usernames and user groups directly within
Panorama policies for new security rule creation, User-ID group mapping should be configured in Panorama
under User Identification. This feature allows Panorama to collect user and group information from various
sources (like Active Directory) and use this information to create policies. By setting up User-ID group

mapping, administrators can leverage user identity as criteria in security rules, enabling more granular access
control and policy enforcement based on user or group membership, thereby enhancing the overall security
posture.
Question #:196
An administrator is receiving complaints about application performance degradation. After checking the
ACC, the administrator observes that there is an excessive amount of VoIP traffic.
Which three elements should the administrator configure to address this issue? (Choose three.)
A. An Application Override policy for the SIP traffic
B. QoS on the egress interface for the traffic flows
C. QoS on the ingress interface for the traffic flows
D. A QoS profile defining traffic classes
E. A QoS policy for each application ID
Answer: B D E
Explanation
To address the issue of application performance degradation due to excessive VoIP traffic, the administrator
should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes.
QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and
prioritize traffic based on various criteria, such as application, user, service, etc. QoS can help improve the
performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient
bandwidth and priority over other traffic1.
To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS
profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth,
maximum bandwidth, and weight. A QoS policy identifies the traffic that matches a specific class of service
based on source and destination zones, addresses, users, applications, services, etc2. The administrator can
also create a custom QoS profile or use the default one.
The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where
the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic.
The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For
example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust
interface facing the ISP. If the VoIP traffic is from external users to internal servers, then the egress interface
is the trust interface facing the LAN3.
The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in
the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped
or delayed due to congestion. The administrator can also limit or block other applications that consume too
much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override
policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This
can be useful for optimizing performance or security for some applications that are difficult to identify or
have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol
(SIP) traffic, which is commonly used for VoIP signaling. The firewall can recognize SIP traffic without an
Application Override policy5.
QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier,
QoS can only shape outbound traffic and not inbound traffic. Applying QoS on the ingress interface will not
have any impact on how the firewall handles or prioritizes the incoming packets6.
A QoS policy for each application is not required to address this issue. A QoS policy can match multiple
applications in a single rule by using application filters or application groups. This can simplify and
consolidate the QoS policy configuration and management. The administrator does not need to create a
separate QoS policy for each application unless there is a specific need to assign different classes of service or
parameters to each application7.
References: QoS Overview, Configure QoS, QoS Use Cases, QoS Best Practices, Application Override, QoS
FAQ, Create a QoS Policy Rule
Question #:197
The UDP-4501 protocol-port is to between which two GlobalProtect components?
A. GlobalProtect app and GiobalProtect satellite
B. GlobalRrotect app and GlobalProtect gateway
C. GlobalProtect portal and GlobalProtect gateway
D. GlobalProtect app and GlobalProtect portal
Answer: B
Question #:198
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device
group. How should the administrator identify the configuration changes?
A. Click Preview Changes under Push Scope
B. Use Test Policy Match to review the policies in Panorama
C. Review the configuration logs on the Monitor tab
D. Context-switch to the affected firewall and use the configuration audit tool
Answer: C

Explanation
When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall
device group in Panorama, the most direct approach is to use the "Preview Changes" feature.
A. Click Preview Changes under Push Scope:
The "Preview Changes" option is available under the "Push Scope" in Panorama. This feature allows
administrators to see a detailed comparison of the changes that are about to be pushed to the managed
firewalls or that have been recently pushed. It highlights the differences between the current
configuration and the previous one, making it easier to identify exactly what changes were made,
including modifications to policies, objects, and other settings.
This is particularly useful for auditing and verifying that the intended changes match the actual changes
being deployed, enhancing transparency and reducing the risk of unintended configuration
modifications.
This approach provides a clear and concise way to review configuration changes before and after they are
applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.
Question #:199
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
A. A Decryption profile must be attached to the Decryption policy that the traffic matches.
B. A Decryption profile must be attached to the Security policy that the traffic matches.
C. There must be a certificate with only the Forward Trust option selected.
D. There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
Answer: C
Question #:200
A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses
available resulting in the server sharing MAT IP 198 51 100 B8 with another OMZ serve that uses IP address
192 168 19? 60 Firewall security and NAT rules have been configured The application team has confirmed
mat the new server is able to establish a secure connection to an external database with IP address
203.0.113.40. The database team reports that they are unable to establish a secure connection to 196 51 100
88 from 203.0.113.40 However it confirm a successful prig test to 198 51 100 88 Referring to the MAT
configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound
and outbound connections work concurrently for both DMZ servers?

A. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address." both
external servers as "Destination Address." and Source Translation remaining as is with bidirectional
option enabled
B. Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public
IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.
C. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the
bidirectional option.
D. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
Answer: C
Explanation
The table displays NAT rules configured on the firewall. The key points are:
Source Zone and Destination Zone define the traffic flow.
Source Address and Destination Address specify the IP addresses involved.
Service indicates the type of traffic (e.g., any, ping).
Source Translation and Destination Translation show the translated IP addresses for NAT.
Issue and Resolution Options
The application server at 192.168.197.40 can establish outbound connections but faces issues with inbound
connections due to the shared NAT IP 198.51.100.88. The external database server cannot establish a secure
connection back to 192.168.197.40.
Options to Resolve the Issue:
Replace the Two NAT Rules with a Single Rule:
Combining both DMZ servers into one NAT rule might simplify configuration but could cause
issues in distinguishing inbound traffic for each server.

Pros: Simplifies rule management.
Cons: Might not address the inbound traffic issue properly.
New Public IP Address:
Obtaining a new public IP address for the new server (192.168.197.40) ensures dedicated
inbound and outbound NAT.
Pros: Clear separation of traffic, resolves inbound connectivity issues.
Cons: Requires additional public IP.
Separate Source NAT and Destination NAT Rules:
Configuring distinct NAT rules for source and destination addresses without using the
bidirectional option.
Pros: Clear and distinct rules for each direction of traffic.
Cons: More complex to manage, might require more firewall resources.
Move the NAT Rule:
Adjusting the order of NAT rules to prioritize the new server’s rule.
Pros: Simple reordering might resolve prioritization conflicts.
Cons: Might not fully resolve the inbound connection issue.
Question #:201
Which three authentication types can be used to authenticate users? (Choose three.)
A. Local database authentication
B. PingID
C. Kerberos single sign-on
D. GlobalProtect client
E. Cloud authentication service
Answer: A C E
Explanation
The three authentication types that can be used to authenticate users are:

A: Local database authentication. This is the authentication type that uses the local user database on the
firewall or Panorama to store and verify user credentials1.
C: Cloud authentication service. This is the authentication type that uses a cloud-based identity
provider, such as Okta, PingOne, or PingFederate, to authenticate users and provide SAML assertions
to the firewall or Panorama2.
E: Kerberos single sign-on. This is the authentication type that uses the Kerberos protocol to
authenticate users who are logged in to a Windows domain and provide them with seamless access to
resources on the firewall or Panorama3.
Question #:202
A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take
advantage of the new TLSvl.3 support for management access.
What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?
A. Required: Download PAN-OS 10.2.0 or earlier release that is not EOL.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.
B. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot.
Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x.
C. Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest
preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required:
Download and install the desired PAN-OS 11.0.x.
D. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot.
Required: Download PAN-OS 10.2.0.
Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS
11.0.0. Required: Download and install the desired PAN-OS 11.0.x.
Answer: B
Explanation
Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure
compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through
major releases.
B. The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to
ensure that all the latest fixes and improvements are applied.
Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading
to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a
stable and supported version before proceeding to the next major release.
Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.
x version. This step completes the upgrade to the new major version, providing access to new features
and improvements, such as TLSv1.3 support for management access.
This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining
system stability and security.
Question #:203
What happens when the log forwarding built-in action with tagging is used?
A. Destination IP addresses of selected unwanted traffic are blocked. *
B. Selected logs are forwarded to the Azure Security Center.
C. Destination zones of selected unwanted traffic are blocked.
D. Selected unwanted traffic source zones are blocked.
Answer: A
Explanation
When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary
purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection
mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using
that tag in dynamic security policies to block or manage the traffic.
A. Destination IP addresses of selected unwanted traffic are blocked:
When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic
(which could be the source or destination IP addresses, but in many configurations, the focus is on the
source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within
security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be
blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.
This approach allows for automated, real-time responses to identified threats, enhancing the security posture
by quickly adapting to emerging threats without manual intervention.
Question #:204

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with
multiple virtual systems?
A. To allow traffic between zones in different virtual systems without the traffic leaving the appliance
B. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance
C. External zones are required because the same external zone can be used on different virtual systems
D. Multiple external zones are required in each virtual system to allow the communications between
virtual systems
Answer: B
Question #:205
An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infra-structure?
A. To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of
the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.
Answer: C
Explanation
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts
Each WildFire cloud—global (U.S.), regional, and private—analyzes samples and generates WildFire verdicts
independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire
verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data.
https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.
html
Question #:206
A firewall engineer needs to patch the company’s Palo Alto Network firewalls to the latest version of PAN-
OS. The company manages its firewalls by using panorama. Logs are forwarded to Dedicated Log Collectors,
and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when
planning deployment?
A.

A. Only Panorama and Dedicated Log Collectorss must be patched to the target PAN-OS version before
updating the firewalls
B. Panorama, Dedicated Log Collectors and WildFire appliances must be patched to the target PAN-OS
version before updating the firewalls.
C. Panorama, Dedicated Log Collectors and WildFire appliances must have the target PAN-OS version
downloaded, after which the order of patching does not matter.
D. Only Panorama must be patched to the PAN-OS version before updating the firewalls
Answer: B
Question #:207
A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks
firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the
engineers take into account when planning to enable IPv6?
A. Device > Setup Settings Do not enable on each interface
B. Network > Zone Settings Do not enable on each interface
C. Network > Zone Settings Enable on each interface
D. Device > Setup Settings Enable on each interface
Answer: D
Question #:208
What are three prerequisites for credential phishing prevention to function? (Choose three.)
A. In the URL filtering profile, use the drop-down list to enable user credential detection.
B. Enable Device-ID in the zone.
C. Select the action for Site Access for each category.
D. Add the URL filtering profile to one or more Security policy rules.
E. Set phishing category to block in the URL Filtering profile.
Answer: A D E
Question #:209

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF
implementation. However, the devices share a common link for communication. Which virtual router
configuration supports running multiple instances of the OSPF protocol over a single link?
A. OSPFV3
B. ECMP
C. ASBR
D. OSBF
Answer: A
Question #:210
PBF can address which two scenarios? (Choose two.)
A. Routing FTP to a backup ISP link to save bandwidth on the primary ISP link
B. Providing application connectivity the primary circuit fails
C. Enabling the firewall to bypass Layer 7 inspection
D. Forwarding all traffic by using source port 78249 to a specific egress interface
Answer: A B
Explanation
Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding
decisions based on criteria other than the destination IP address, such as the application, source address, or
user. It can address scenarios like:
A. Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured
to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other
critical applications.
B. Providing application connectivity when the primary circuit fails: PBF can be used for failover
purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous
application availability.
PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks
are managed through different mechanisms within the firewall's operating system.
Question #:211

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles
are needed to complete the configuration? (Choose two)
A. SSL/TLS Service
B. HTTP Server
C. Decryption
D. Interface Management
Answer: A D
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-
sites#id7e63ce07-8b30-4506-a1e3-5800303954e8
Question #:212
Which CLI command displays the physical media that are connected to ethernet1/8?
A. > show system state filter-pretty sys.si. p8. stats
B. > show system state filter-pretty sys.sl.p8.phy
C. > show system state filter-pretty sys.sl.p8.med
D. > show interface ethernet1/8
Answer: B
Explanation
The CLI command "show system state filter-pretty sys.sl.p8.phy" is used to display detailed physical layer
information, which would include the physical media connected to a specific interface such as ethernet1/8.
This command is designed to filter the output to show relevant physical layer information for the specified
interface.For more information on Palo Alto Networks CLI commands and their outputs, refer to the "PAN-
OS® CLI Reference Guide".
Question #:213
Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?
A. Resource Protection

B. TCP Port Scan Protection
C. Packet Based Attack Protection
D. Packet Buffer Protection
Answer: A
Explanation
IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks
in which a large number of hosts (bots) establish as many sessions as possible to consume a target’s resources.
On the profile’s Resources Protection tab, you can set the maximum number of concurrent sessions that the
device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the
number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.
paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-
protection-profiles-and-policy-rules/dos-protection-profiles.html
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-
defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-
d39ebf3b6a5f
Question #:214
A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure
that decryption is not causing the issue. Which three methods can the administrator use to determine if
decryption is causing the website to fail? (Choose three.)
A. Disable SSL handshake logging
B. Investigate decryption logs of the specific traffic to determine reasons for failure.
C. Temporarily disable SSL decryption for all websites to troubleshoot the issue
D. Create a policy-based "No Decrypt" rule in the decryption policy to include specific traffic from
decryption.
E. Move the policy with action decrypt to the top of the decryption policy rulebase.
Answer: B C D
Question #:215
A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to
access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be
allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?

A. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to
dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10
/32 and source translation set to none.
3. Place (NAT-Rule-1) above (NAT-Rule-2).
B. 1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.
2. Check the box for negate option to negate this IP subnet from NAT translation.
C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to
dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10
/32 and source translation set to none.
3. Place (NAT-Rule-2) above (NAT-Rule-1).
D. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.
2. Check the box for negate option to negate this IP from the NAT translation.
Answer: C
Explanation
In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security
policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be
placed above the broader rule.
C. Place a more specific NAT rule above the broader one:
Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with
dynamic IP and port translation. This rule allows the majority of the subnet to access the internet
through NAT.
Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set
specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source
translation to none, indicating that this traffic should not be translated and thus not allowed to access the
internet.
Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule
(NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to
the internet, effectively excluding the specific server from internet access.
This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude
a specific IP address from source NAT translation, thereby preventing it from accessing the internet.

Question #:216
An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for
authenticating users. What should the administrator be aware of regarding the authentication sequence, based
on the Authentication profile in the order Kerberos LDAP, and TACACS+?
A. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been
named until one profile successfully authenticates the user.
B. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully
authenticates the user.
C. The priority assigned to the Authentication profile defines the order of the sequence.
D. If the authentication times cut for the firs: Authentication profile in the authentication sequence, no
further authentication attempts will be made.
Answer: B
Question #:217
If a URL is in multiple custom URL categories with different actions, which action will take priority?
A. Allow
B. Override
C. Block
D. Alert
Answer: C
Explanation
When a URL matches multiple categories, the category chosen is the one that has the most severe action
defined below (block being most severe and allow least severe).
1 block
2 override
3 continue
4 alert
5 allow
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC

Question #:218
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
A. Change the firewall management IP address
B. Configure a device block list
C. Add administrator accounts
D. Rename a vsys on a multi-vsys firewall
E. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode
Answer: A D E
Question #:219
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external
router using the BGP protocol. The peer relationship is not establishing. What command could the engineer
run to see the current state of the BGP state between the two devices?
A. show routing protocol bgp summary
B. show routing protocol bgp rib-out
C. show routing protocol bgp state
D. show routing protocol bgp peer
Answer: D
Question #:220
An administrator notices that an interface configuration has been overridden locally on a firewall. They
require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
A. Perform a commit force from the CLI of the firewall.
B. Perform a template commit push from Panorama using the "Force Template Values" option.
C. Perform a device-group commit push from Panorama using the "Include Device and Network
Templates" option.
D. Reload the running configuration and perform a Firewall local commit.

Answer: B
Explanation
The best way for the administrator to meet the requirement of managing all configuration from Panorama and
preventing local overrides is B: Perform a template commit push from Panorama using the “Force Template
Values” option. This option allows the administrator to overwrite any local configuration on the firewall with
the values defined in the template1. This way, the administrator can ensure that the interface configuration
and any other
Question #:221
When you import the configuration of an HA pair into Panorama, how do you prevent the import from
affecting ongoing traffic?
A. Set the passive link state to shutdown".
B. Disable config sync.
C. Disable the HA2 link.
D. Disable HA.
Answer: B
Explanation
To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into
Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls
in an HA pair to synchronize their configurations and maintain consistency. However, when you import the
configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until
you verify and commit the imported configuration on Panorama. Therefore, you should disable config sync
before importing the configuration, and re-enable it after committing the changes on
Panorama12. References: Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page
50)
Question #:222
A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-
browsing and depends on SSL.
When creating a new rule, what is needed to allow the application to resolve dependencies?
A. Add SSL and web-browsing applications to the same rule.
B. Add web-browsing application to the same rule.
C. Add SSL application to the same rule.

D. SSL and web-browsing must both be explicitly allowed.
Answer: C
Explanation
'Implicitly Uses' has web-browsing listed. This means that if you allow facebook-posting, that it will also be
allowing the web-browsing application implicitly.. In our case, we dont know which APP the question referes
too but 'Implicitly means already uses HTTP.
Question #:223
When an engineer configures an active/active high availability pair, which two links can they use? (Choose
two)
A. HSCI-C
B. Console Backup
C. HA3
D. HA2 backup
Answer: C D
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha
/prerequisites-for-activeactive-ha
These are the two links that can be used to configure an active/active high availability pair. An active/active
high availability pair consists of two firewalls that are both active and share the traffic load between
them1. To configure an active/active high availability pair, the following links are required2:
HA1: This is the control link that is used for exchanging heartbeat messages and configuration
synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have
a backup link for redundancy.
HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of
failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup
link for redundancy.
HA3: This is the session owner synchronization link that is used for synchronizing session information
between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is
only required for active/active high availability pairs, not for active/passive pairs.
Question #:224

A company wants to add threat prevention to the network without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
A. VirtualWire
B. Layer3
C. TAP
D. Layer2
Answer: A D
Explanation
A and D are the best practice deployment modes for the firewall if the company wants to add threat
prevention to the network without redesigning the network routing. This is because these modes allow
the firewall to act as a transparent device that does not affect the existing network topology or routing1.
A: VirtualWire mode allows the firewall to be inserted into any existing network segment without
changing the IP addressing or routing of that segment2. The firewall inspects traffic between two
interfaces that are configured as a pair, called a virtual wire. The firewall applies security policies to the
traffic and forwards it to the same interface from which it was received2.
D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3.
The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to
the same VLAN. The firewall applies security policies to the traffic and forwards it to the appropriate
interface based on the MAC address table3.
Verified References:
1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan
2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-
wire.html
3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-
2.html
Question #:225

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will
the device permit on its Management port?
A. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-
subnet-1.
B. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-
subnet-2.
C. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as
$permitted-subnet-1 and $permitted-subnet-2.
D. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-
subnet-1 and $permitted-subnet-2.
Answer: A
Explanation

https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p
/496620 "- Force Template Value will as the name suggest remove any local configuratio and apply the value
define the panorama template. But this is valid only for overlapping configuration" "You need to be careful,
what is actually defined in the template. For example - if you decide to enable HA in the template, but after
that you decide to not push it with template and just disable it again (remove the check from the "Enable HA"
checkbox). This still will be part of the template, because now your template is explicitely defining HA
disabled. If you made a change in the template, and later decide that you don't want to control this setting with
template, you need to revert the config by clicking the green bar next to the changed value"
Question #:226
Which statement about High Availability timer settings is true?
A. Use the Critical timer for faster failover timer settings.
B. Use the Aggressive timer for faster failover timer settings
C. Use the Moderate timer for typical failover timer settings
D. Use the Recommended timer for faster failover timer settings.
Answer: B
Question #:227
A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will
support a GlobalProtect portal and gateway. the customer uses Windows
A. Deploy the GlobalProtect as a lee data hub.
B. Deploy Window User 0 agents on each domain controller.
C. Deploys AILS integrated Use 10 agent on each vsys.
D. Deploy a M.200 as a Users-ID collector.
Answer: A
Question #:228
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
A. Encryption algorithm
B. Number of security zones in decryption policies
C. TLS protocol version

D. Number of blocked sessions
Answer: A C
Explanation
When sizing a decryption firewall deployment, two factors that should be considered are the encryption
algorithm and the TLS protocol version. These factors affect the amount of resources and processing power
that the firewall needs to decrypt and inspect SSL/TLS traffic.
The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data
exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and
performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than
RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses
public and private keys to encrypt and decrypt data, while AES uses a single shared key. The firewall must
support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have
enough CPU and memory resources to handle the decryption workload12.
The TLS protocol version is the standard that defines how the server and the client establish and maintain an
SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption
algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most
secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-
GCM and ChaCha20-Poly1305, and requires elliptic curve certificates. The firewall must support the TLS
protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware
acceleration resources to handle the decryption speed34.
The number of security zones in decryption policies and the number of blocked sessions are not relevant
factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only
affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does
not affect the decryption performance or resource consumption. The number of blocked sessions only
indicates how many sessions are denied by the firewall based on security policy or decryption policy rules,
but it does not affect the decryption capacity or throughput56.
References: Encryption Algorithms, TLS Protocol Versions, Decryption Policy, PCNSE Study Guide (page
60)
Question #:229
What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three
A. Configure a URL profile to block the phishing category.
B. Create a URL filtering profile
C. Enable User-ID.
D. Create an anti-virus profile.
E. Create a decryption policy rule.

Answer: B C E
Question #:230
Which Panorama feature protects logs against data loss if a Panorama server fails?
A. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the
Collector Group.
C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
D. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the
Collector Group
Answer: B
Explanation
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-
groups/configure-a-collector-group
"Log redundancy is available only if each Log Collector has the same number of logging disks."
(Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a
single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes
unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For
example, if you have two Log Collectors in the collector group the log is written to both Log Collectors.
Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage
capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles
the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log
Collector must distribute a copy of each log it receives.
Question #:231
An internal audit team has requested additional information to be included inside traffic logs forwarded from
Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be
added into each forwarded log?
A. Data Patterns within Objects > Custom Objects
B. Custom Log Format within Device Server Profiles> Syslog
C. Built-in Actions within Objects > Log Forwarding Profile
D. Logging and Reporting Settings within Device > Setup > Management
Answer: B

Question #:232
Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)
A. Destination user/group
B. URL Category
C. Destination Domain
D. video streaming application
E. Source Domain
F. Client Application Process
Answer: C D E
Question #:233
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop
traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
A. Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set
"Asymmetric Path" to Bypass
B. > set session tcp-reject-non-syn no
C. Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set
"Asymmetric Path" to Global
D. # set deviceconfig setting session tcp-reject-non-syn no
Answer: A D
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK
Question #:234
Refer to Exhibit:

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The
configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely
would stop only Traffic logs from being sent from the NGFW to Panorama?
A)
B)
C)
D)

A. Option A
B. Option B
C. Option C
D. Option D
Answer: C
Question #:235

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall
After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and
opens dynamic pinholes for media ports
What can the engineer do to solve the VoIP traffic issue?
A. Disable ALG under H.323 application
B. Increase the TCP timeout under H.323 application
C. Increase the TCP timeout under SIP application
D. Disable ALG under SIP application
Answer: D
Explanation
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/disable-the-sip-application-level-
gateway-alg
Question #:236
After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit
/push is successful without duplicating local configurations?
A. Ensure Force Template Values is checked when pushing configuration.
B. Push the Template first, then push Device Group to the newly managed firewall.
C. Perform the Export or push Device Config Bundle to the newly managed firewall.
D. Push the Device Group first, then push Template to the newly managed firewall
Answer: C
Explanation
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-
panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from
Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This
step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push
the device group configuration from Panorama to the firewall in the next step.
Question #:237
An engineer configures a new template stack for a firewall that needs to be deployed. The template stack
should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile
configured named Management?
A. Values in Chicago
B. Values in efw01lab.chi
C. Values in Datacenter
D. Values in Global Settings
Answer: B
Question #:238
An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is
regressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
A. High availability (HA)
B. Layer 3
C. Layer 2
D. Tap
E. Virtual Wire
Answer: B C E
Explanation
PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL
decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode https://knowledgebase.
paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC
Question #:239
An engineer is deploying multiple firewalls with common configuration in Panorama.
What are two benefits of using nested device groups? (Choose two.)
A. Inherit settings from the Shared group
B. Inherit IPSec crypto profiles
C.

C. Inherit all Security policy rules and objects
D. Inherit parent Security policy rules and objects
Answer: A D
Explanation
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-
configuration-and-update-management/device-groups/device-group-hierarchy
Question #:240
The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined
that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs
indicating port abuse of port 53 must still be forwarded to syslog. All other DNS. Traffic logs can be exclude
from syslog forwarding. How should syslog log forwarding be configured?
A. With (port,dst neq 53)’ Traffic log filter Object > Log Forwarding.
B. With ‘(port dst neq 53)’ Traffic log filter inside Device > log Settings.
C. With ‘(app neq dns-base)’’ Traffic log filter inside Device> Log Settings.
D. With ‘(app neq dns-base)’’ Traffic log filter inside Objects> Log Forwarding
Answer: B
Question #:241
Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain
and application?
A. Tunnel mode
B. Satellite mode
C. IPSec mode
D. No Direct Access to local networks
Answer: A
Explanation
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-
traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application

Question #:242
A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and
adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center
firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the
HIP match logs on the edge firewall but not on the data center firewall
What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose
two.)
A. Log Forwarding Profile is configured but not added to security rules in the data center firewall.
B. HIP profiles are configured but not added to security rules in the data center firewall.
C. User ID is not enabled in the Zone where the users are coming from in the data center firewall.
D. HIP Match log forwarding is not configured under Log Settings in the device tab.
Answer: B C
Explanation
For HIP match logs to be visible on the data center firewall, the following conditions must be met:
HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center
firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not
associated with the security rules, the firewall will not evaluate traffic against these profiles, and
consequently, no HIP match logs will be generated.
User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are
located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user
names, which is critical for applying policies based on user identity and, by extension, for HIP-based
policy enforcement.
The other options (A and D) are related to logging and log forwarding but would not directly impact the
generation or visibility of HIP match logs on the data center firewall itself.
Question #:243
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP
agent configuration. Which interface mode can the broadcast DHCP traffic?
A. Virtual ware
B. Tap
C. Layer 2
D. Layer 3

Answer: B
Question #:244
When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing
sessions over which HA port?
A. HA1
B. HA3
C. HA2
D. HA4
Answer: D
Explanation
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview
Question #:245
Which two components are required to configure certificate-based authentication to the web Ul when an
administrator needs firewall access on a trusted interface'? (Choose two.)
A. Server certificate
B. SSL/TLS Service Profile
C. Certificate Profile
D. CA certificate
Answer: C D
Question #:246
Which source is the most reliable for collecting User-ID user mapping?
A. Syslog Listener
B. Microsoft Exchange
C. Microsoft Active Directory
D. GlobalProtect

Answer: D
Question #:247
An administrator is assisting a security engineering team with a decryption rollout for inbound and forward
proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to
decrypt. Which three items should be prioritized for decryption? (Choose three.)
A. Financial, health, and government traffic categories
B. Known traffic categories
C. Known malicious IP space
D. Public-facing servers,
E. Less-trusted internal IP subnets
Answer: B C D
Question #:248
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
A. PBF > Zone Protection Profiles > Packet Buffer Protection
B. BGP > PBF > NAT
C. PBF > Static route > Security policy enforcement
D. NAT > Security policy enforcement > OSPF
Answer: C
Explanation
The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence
describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-
Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic
based on the source and destination addresses, application, user, or service. PBF is evaluated before the static
route lookup, which is the default method of forwarding traffic based on the destination address and the
longest prefix match. Security policy enforcement is the stage where the firewall applies the security policy
rules to allow or block traffic based on various criteria, such as zone, address, port, user, application,
etc12. References: Policy-Based Forwarding, Packet Flow Sequence in PAN-OS
Question #:249

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire
inline ML analyze? (Choose three.)
A. Powershell scripts
B. VBscripts
C. MS Office
D. APK
E. ELF
Answer: A C E
Question #:250
Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface
when configuring transparent web proxy on a Palo Alto Networks firewall?
A. Tunnel
B. Ethernet
C. VLAN
D. Lookback
Answer: C

About Exams4sure.com
Exams4sure.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam
Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses
listed below.
Sales: sales@exams4sure.com
Feedback: feedback@exams4sure.com
Support: support@exams4sure.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24
hours.

PCNSE-Exam4sure

Uploaded by

Copyright:

Available Formats

PCNSE-Exam4sure

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PCNSE-Exam4sure

Uploaded by

Copyright:

Available Formats

Paloalto Networks

Palo Alto Networks

An engineer troubleshoots a high availability (HA) link that is unreliable.

A. Monitor > Logs > System

B. Device > High Availability > Active/Passive Settings

C. Monitor > Logs > Traffic

D. Dashboard > Widgets > High Availability

A. Exclude video traffic

C. Block traffic that is not work-related

D. Create a Tunnel Inspection policy

D. URL Filtering profiles

Leaders in it certification 1 of 151

A. Export device state

B. Load configuration version

C. Load named configuration snapshot

D. Save candidate config

Match the terms to their corresponding definitions

Leaders in it certification 2 of 151

Leaders in it certification 3 of 151

A close-up of a computer screen Description automatically generated

An administrator receives the following error message:

Leaders in it certification 4 of 151

A. No, because the URL generated an alert.

C. Yes, because the final action is set to "allow.''

D. No, because the action for the wildfire-virus is "reset-both."

A. Configure a Layer 3 interface for segment X on the firewall

B. Configure the TAP interface for segment X on the firewall.

C. Configure a new vsys for segment X on the firewall

D. Configure vwire interfaces for segment X on the firewall.

Leaders in it certification 5 of 151

Which profile should be configured in order to achieve this?

A. SSH Service profile

B. SSL/TLS Service profile

B. Security policy rule

C. Application override policy rule

D. Decryption policy rule

A. Monitor > Logs > System

B. Objects > Log Forwarding

Leaders in it certification 6 of 151

C. Panorama > Managed Devices

D. Device > Log Settings

Leaders in it certification 7 of 151

A. No Direct Access to local networks

Leaders in it certification 8 of 151

Which three dynamic routing protocols support BFD? (Choose three.)

E. OSPFv3 virtual link

A. Yes, because the action is set to alert

B. No, because this is an example from a defeated phishing attack

C. No, because the severity is high and the verdict is malicious.

Leaders in it certification 9 of 151

D. Yes, because the action is set to allow.

What must the administrator do to correct this issue?

C. Add the template as a reference template in the device group

D. Add a firewall to both the device group and the template

A. SSL Outbound Proxyless Inspection

B. SSL Forward Proxy

D. SSL Inbound Inspection

Leaders in it certification 10 of 151

A. Successful GlobalProtect Deployed Activity

B. GlobalProtect Deployment Activity