Palo Alto Networks Certified Network Security Administrator PCNSA (PCNSA) — Questions 76150

524 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Drag & Dropmedium

Drag and drop the steps to configure Active/Passive High Availability on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

HA configuration requires setting up interfaces, mode, priority, peer IP, preemption, and synchronization.

77
Multi-Selectmedium

Which TWO actions should be taken when configuring SSL Forward Proxy decryption? (Select exactly two.)

Select 2 answers
A.Import the server's private key
B.Import the server certificate
C.Enable SSH decryption
D.Generate or import a CA certificate for the firewall
E.Configure a decryption profile that allows self-signed certificates
AnswersD, E

The firewall needs a CA certificate to generate certificates on the fly for clients.

Why this answer

Option D is correct because SSL Forward Proxy decryption requires the firewall to act as a trusted intermediary. To do this, the firewall must generate or import a CA certificate that client browsers will trust, allowing it to dynamically generate and sign server certificates for decrypted sessions. Without this CA certificate, clients will receive untrusted certificate warnings, and decryption will fail.

Exam trap

Palo Alto Networks often tests the distinction between SSL Forward Proxy (outbound decryption) and SSL Inbound Inspection (inbound decryption), where candidates mistakenly think importing the server's private key or certificate is needed for Forward Proxy.

78
MCQmedium

A network administrator is configuring a new security policy to allow specific inbound traffic to a web server. The policy must be as specific as possible to minimize risk. Which configuration approach is correct?

A.Create a security policy with source zone Untrust, destination zone DMZ, and service application-default.
B.Create a security policy with source any, destination DMZ, and service http.
C.Create a security policy with source zone Untrust, destination zone DMZ, and application web-browsing.
D.Create a security policy with source zone Untrust, destination zone DMZ, and service http.
AnswerC

Application web-browsing uses App-ID to ensure only HTTP/HTTPS traffic is allowed, regardless of port, providing more granular control.

Why this answer

Option C is correct. Using App-ID (application web-browsing) is more specific than port-based service, as it identifies the application regardless of port. Option A uses port-based service http, which could allow other applications on port 80.

Option B uses source any, which is too broad. Option D uses application-default, which is not a valid service object for policy configuration.

79
Multi-Selectmedium

Which TWO actions can be taken in a security policy rule to allow traffic from the corporate network to the internet while also logging the traffic?

Select 2 answers
A.Set the rule action to 'reset-both'.
B.Set the rule action to 'allow'.
C.Set the rule action to 'deny'.
D.Enable 'Log at Session Start' in the rule.
E.Enable 'Log at Session End' in the rule.
AnswersB, E

Allow permits traffic through the firewall.

Why this answer

Option B is correct because setting the rule action to 'allow' permits the traffic from the corporate network to the internet, which is the primary requirement. To also log the traffic, you must enable logging; 'Log at Session End' (Option E) is the standard method to capture session details after the connection completes. Together, these two settings achieve both allowing and logging the traffic.

Exam trap

The trap here is that candidates often confuse 'Log at Session Start' with 'Log at Session End', thinking that logging at the start is sufficient for full traffic logging, but in reality, session-end logs provide the complete session metadata needed for security analysis.

80
MCQhard

A security analyst uses Panorama to generate a custom report on all traffic using the application 'facebook-base' across the enterprise. The analyst creates a new report template in Panorama with the filter '(app eq facebook-base)' and runs the report for the past 30 days. The report returns zero results. However, when the analyst logs into a specific firewall and queries the traffic logs using the same filter, results appear. The analyst confirms that the firewall is configured to forward logs to Panorama and that Panorama receives logs from all firewalls. What is the most likely reason the Panorama report fails to return data?

A.The application filter must specify the parent application 'facebook' because 'facebook-base' is a sub-application.
B.Panorama only supports scheduled reports, not ad-hoc queries.
C.The report template is not committed to the device group.
D.The firewall's log forwarding profile must be set to send logs to Panorama on a separate port.
AnswerA

Panorama requires the parent application for sub-application filters.

Why this answer

In Panorama, application filters require the parent application name when filtering by sub-application. 'facebook-base' is a sub-application of 'facebook', so the correct filter should be '(app eq facebook)(subapp eq facebook-base)'. Option A (commit to device group) is not required for reports. Option C (scheduled only) is false.

Option D (separate port) is incorrect.

81
MCQeasy

A junior administrator is investigating a network issue where traffic to a critical server is being blocked. To see the specific security rule that matched and the action taken, which log should the administrator review?

A.System log
B.Threat log
C.Config log
D.Traffic log
AnswerD

Traffic logs show the security rule that matched and the action taken.

Why this answer

The Traffic log records every session that traverses the firewall, including the specific security rule that matched and the action taken (allow, deny, drop, etc.). Since the administrator needs to identify which rule blocked the traffic to the critical server, the Traffic log is the correct source. System, Threat, and Config logs do not provide per-session rule matching details.

Exam trap

The trap here is that candidates often confuse the Threat log with the Traffic log, assuming blocked traffic always appears in the Threat log, but the Threat log only records sessions that matched a threat signature, not all denied sessions due to security rules.

How to eliminate wrong answers

Option A is wrong because the System log captures administrative events, system errors, and high-level operational messages, not per-session rule matches. Option B is wrong because the Threat log records only traffic that triggered a threat prevention signature (e.g., exploits, malware), not all blocked traffic or rule-based actions. Option C is wrong because the Config log tracks changes to the firewall configuration (e.g., policy modifications), not real-time traffic matching or actions.

82
MCQmedium

A user at source IP 10.1.1.1 initiates an HTTPS connection to a web server on the internet. Which rule will the traffic match?

A.Rule 1: allow-http-from-trust-to-untrust (allow)
B.Rule 3: allow-dns-from-trust-to-untrust (allow)
C.Rule 2: deny-all-from-trust-to-untrust (deny)
D.No rule matches; implicit deny will block the traffic.
AnswerC

Since HTTPS is not HTTP, rule 1 fails; rule 2 matches any application and denies.

Why this answer

Option A is correct because rule 1 matches HTTP only; HTTPS is a different application (ssl). Rule 2 does not match because it is after rule 1? Actually the traffic hits rule 1 first, but since application is http and not ssl, rule 1 does not match. Then rule 2 matches because it applies to any application from 10.0.0.0/8, so it matches and denies the traffic.

Rule 3 is for DNS only. So traffic will be denied by rule 2.

83
MCQhard

An organization uses multiple firewalls and wants to share dynamic address groups across them. Which feature should be used?

A.Device groups
B.Shared policy
C.Template stacks
D.External Dynamic Lists
AnswerD

EDLs allow external lists to be referenced in policies and shared across firewalls.

Why this answer

External Dynamic Lists (EDLs) allow dynamic address groups to be shared across multiple firewalls by referencing a common external source, such as a URL or file hosted on a web server. This enables consistent, real-time updates to address objects across the entire firewall fleet without manual intervention, making it the correct choice for sharing dynamic address groups.

Exam trap

The trap here is that candidates often confuse Device Groups (which share static policy and objects) with the ability to share dynamic objects, but Device Groups do not support dynamic address groups; only EDLs provide the dynamic, externally-sourced sharing mechanism.

How to eliminate wrong answers

Option A is wrong because Device Groups are used to manage shared policy and configuration across firewalls in Panorama, but they do not directly share dynamic address groups; they share static objects and policies. Option B is wrong because Shared Policy is a configuration element that applies policies across devices, but it does not inherently share dynamic address groups; it relies on objects that must be defined elsewhere. Option C is wrong because Template Stacks are used to manage device-level settings like interfaces and network configurations, not dynamic address groups or object sharing.

84
MCQhard

A firewall is experiencing high CPU utilization due to SSL decryption. The administrator wants to reduce the load without completely disabling decryption. Which action should be taken?

A.Use decryption mirroring to offload decryption to a dedicated appliance.
B.Change decryption policy to 'no-decrypt' for all traffic.
C.Enable SSL/TLS protocol settings to disable weak ciphers.
D.Create a decryption bypass for traffic to high-bandwidth sites with low security risk.
AnswerD

Selectively bypassing low-risk traffic reduces CPU load.

Why this answer

Option D is correct because creating a decryption bypass for traffic to high-bandwidth, low-risk sites reduces the CPU load from SSL decryption by exempting that traffic from decryption, while still allowing decryption for higher-risk traffic. This targeted approach maintains security posture without completely disabling decryption, aligning with best practices for managing decryption resources on Palo Alto Networks firewalls.

Exam trap

The trap here is that candidates often confuse decryption mirroring with offloading decryption, not realizing that mirroring only duplicates traffic for analysis and does not reduce the firewall's decryption workload.

How to eliminate wrong answers

Option A is wrong because decryption mirroring sends a copy of decrypted traffic to a monitoring appliance for analysis, but it does not offload the decryption itself; the firewall still performs the CPU-intensive SSL/TLS decryption. Option B is wrong because changing the decryption policy to 'no-decrypt' for all traffic completely disables decryption, which does not meet the requirement to reduce load without completely disabling decryption. Option C is wrong because disabling weak ciphers in SSL/TLS protocol settings improves security by preventing use of insecure algorithms, but it does not reduce CPU utilization from decryption; in fact, it may increase load by forcing negotiation of stronger ciphers that require more processing.

85
MCQeasy

A network administrator wants to monitor traffic that is not decrypted due to a 'No Decrypt' policy rule. Which log type would show that decryption was bypassed?

A.URL Filtering logs
B.Threat logs
C.Tunnel Inspection logs
D.Traffic logs
AnswerC

Tunnel Inspection logs record decryption decisions, including 'No Decrypt' actions.

Why this answer

Tunnel Inspection logs are specifically designed to record traffic that bypasses decryption due to a 'No Decrypt' policy rule. When a decryption policy is set to 'No Decrypt', the firewall does not inspect the encrypted payload, but Tunnel Inspection logs capture metadata about the bypassed session, including the reason for bypass. This allows administrators to monitor and audit traffic that was not decrypted, ensuring visibility into policy exceptions.

Exam trap

The trap here is that candidates often confuse Tunnel Inspection logs with Traffic logs, assuming that Traffic logs will show the bypass, but only Tunnel Inspection logs explicitly record the decryption bypass reason and session metadata.

How to eliminate wrong answers

Option A is wrong because URL Filtering logs track web requests and URL categories, not the decryption bypass status of encrypted traffic. Option B is wrong because Threat logs record detected threats (e.g., malware, exploits) in decrypted or inspected traffic, not the bypass of decryption itself. Option D is wrong because Traffic logs show basic session information (source, destination, ports) but do not specifically indicate whether decryption was bypassed or the reason for bypass.

86
MCQmedium

A hospital network uses a Palo Alto Networks firewall with outbound SSL decryption. The IT security team notices that during peak hours, the firewall CPU utilization spikes to 95% when decryption is enabled, causing latency for all users. They have already upgraded to maximum licensed throughput and added a dedicated decryption engine. However, the issue persists. The network has 10,000 endpoints and 500 Mbps throughput. The decryption policy includes rules to decrypt all traffic to critical medical cloud services (EHR, PACS) and social media sites. What should the administrator do first to reduce CPU load?

A.Create a more specific decryption policy to only decrypt necessary traffic.
B.Increase the decryption session timeout value.
C.Replace the firewall with a higher-end model.
D.Enable SSL acceleration hardware offloading.
AnswerA

Decrypting only critical medical cloud services reduces the number of sessions requiring decryption, lowering CPU usage.

Why this answer

The correct answer is A because the firewall is decrypting unnecessary traffic (social media sites) in addition to critical medical cloud services. By refining the decryption policy to exclude non-essential traffic, the administrator reduces the CPU load from SSL/TLS handshake and encryption processing, directly addressing the spike without requiring hardware changes. This aligns with Palo Alto Networks best practices of minimizing decryption scope to only traffic that requires inspection.

Exam trap

The trap here is that candidates often assume hardware upgrades or offloading features are the immediate fix, but the PCNSA exam emphasizes that policy optimization (decrypting only what is necessary) is the first step before considering hardware changes.

How to eliminate wrong answers

Option B is wrong because increasing the decryption session timeout value does not reduce CPU utilization; it only keeps idle sessions open longer, potentially increasing resource consumption. Option C is wrong because the administrator has already upgraded to maximum licensed throughput and added a dedicated decryption engine, indicating the hardware is not the bottleneck; replacing the firewall would be a costly and unnecessary step without first optimizing the policy. Option D is wrong because SSL acceleration hardware offloading is typically already enabled on Palo Alto Networks firewalls that support it, and the issue persists despite having a dedicated decryption engine, meaning the problem is policy scope, not offloading capability.

87
MCQmedium

A company uses SSL Forward Proxy decryption. The firewall's decryption certificate expires. What immediate impact does this have on traffic?

A.The firewall logs a critical system alert.
B.Users receive certificate warnings when accessing HTTPS sites.
C.Decryption stops working and all SSL traffic is blocked.
D.The firewall automatically renews the certificate from the CA.
AnswerB

The expired cert causes browser warnings.

Why this answer

When the firewall's SSL Forward Proxy decryption certificate expires, the firewall can no longer present a valid certificate to clients during the SSL/TLS handshake. Browsers and applications will detect the expired certificate and display certificate warnings or errors to users, but the firewall may still attempt to decrypt traffic using the expired certificate, causing trust failures. This is the immediate impact because the firewall does not block traffic by default; it continues to proxy the connection, but the client rejects the invalid certificate.

Exam trap

The trap here is that candidates assume decryption stops or traffic is blocked, but Palo Alto Networks firewalls continue to proxy traffic with the expired certificate, causing client-side warnings rather than a firewall-enforced block.

How to eliminate wrong answers

Option A is wrong because a certificate expiration typically generates a system alert or log entry, but the question asks for the immediate impact on traffic, not the logging behavior. Option C is wrong because decryption does not stop; the firewall continues to intercept and re-encrypt traffic using the expired certificate, and SSL traffic is not blocked unless a specific policy action (e.g., 'block if certificate invalid') is configured. Option D is wrong because the firewall does not automatically renew certificates from a CA; certificate renewal is a manual or automated process managed by the administrator, not an automatic firewall function.

88
Drag & Dropmedium

Drag and drop the steps to perform a packet capture (tcpdump) on a Palo Alto Networks firewall using the CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Packet capture involves entering CLI, issuing tcpdump with filters, stopping the capture, and exporting the file.

89
MCQhard

An administrator is using Policy Tester to validate a rule before deployment. The rule allows HTTP and HTTPS from user 'John' (IP 10.1.1.10) to server 192.168.1.100. The tester shows 'No match' for traffic from John's IP to the server on port 80. What could be the reason?

A.The rule is placed after a deny rule.
B.The user-ID mapping is incorrect.
C.The rule uses port 443 only.
D.The rule has an application override that is not set to HTTP.
AnswerD

If the rule uses application override, traffic must be identified as the specified application; if not, the rule does not match.

Why this answer

Option A is correct because application override would require the application to be forced; if the rule expects specific applications but traffic is not identified as HTTP, it might not match. Option B is wrong because if the rule allows HTTP, port 80 should be expected. Option C is wrong because user-ID is for user mapping, but if the rule uses user, the tester should have user context.

Option D is wrong because rule ordering is not an issue when testing a specific rule.

90
MCQmedium

A company needs to block a list of known malicious domains that is updated daily by a threat intelligence vendor. Which Palo Alto Networks object should be used?

A.External Dynamic List (EDL)
B.Custom URL Category
C.Address Group
D.Application Filter
AnswerA

EDL can consume frequently updated lists of domains or IPs.

Why this answer

An External Dynamic List (EDL) is the correct object because it allows Palo Alto Networks firewalls to import and automatically update a list of known malicious domains from an external threat intelligence vendor on a scheduled basis (e.g., every 5 minutes). This ensures the firewall dynamically blocks newly identified malicious domains without manual intervention, making it ideal for a daily-updated feed.

Exam trap

The trap here is that candidates often confuse Custom URL Categories with EDLs, assuming a manually updated list can suffice for dynamic feeds, but the exam emphasizes that EDLs are the only object designed for automated, external-sourced updates.

How to eliminate wrong answers

Option B is wrong because a Custom URL Category is a static, manually defined list of URLs or domains that does not support automatic updates from an external feed; it requires manual editing to reflect daily changes. Option C is wrong because an Address Group is used to group IP addresses or CIDR ranges, not domain names, and it cannot dynamically update from an external threat intelligence source. Option D is wrong because an Application Filter is used to identify traffic based on application characteristics (e.g., application ID, category, technology), not to block specific domains or URLs.

91
MCQmedium

A firewall is configured with multiple Virtual Systems (vsys). An admin wants to assign a custom admin role that can manage only specific vsys. Which role type supports this?

A.Panorama Admin
B.Read Only Admin
C.Virtual System Admin
D.Superadmin
E.Device Admin
AnswerC

Can be assigned to specific vsys with tailored permissions.

Why this answer

Option C is correct because the Virtual System Admin role is specifically designed to grant administrative access to one or more Virtual Systems (vsys) within a Palo Alto Networks firewall. This role type allows the admin to manage only the assigned vsys, with no visibility or control over other vsys or the shared firewall configuration, which directly matches the requirement in the question.

Exam trap

The trap here is that candidates often confuse 'Virtual System Admin' with 'Device Admin' or 'Read Only Admin,' assuming that any admin role can be scoped to a vsys, but only the Virtual System Admin role provides the granular per-vsys restriction required.

How to eliminate wrong answers

Option A is wrong because Panorama Admin is a role used for managing Panorama, the centralized management platform, not for assigning per-vsys administrative access on a firewall. Option B is wrong because Read Only Admin provides read-only access to the entire firewall configuration, including all vsys, and cannot be scoped to specific vsys. Option D is wrong because Superadmin has full, unrestricted access to all vsys and all firewall settings, which is the opposite of the required restricted access.

Option E is wrong because Device Admin is a role that manages device-level settings (e.g., network interfaces, certificates) across all vsys, not limited to specific vsys.

92
Multi-Selectmedium

Which TWO of the following are required when configuring a new virtual router on a Palo Alto Networks firewall?

Select 2 answers
A.Set the administrative distance for the default route
B.Define at least one static route or enable a dynamic routing protocol
C.Configure OSPF as the routing protocol
D.Configure route redistribution
E.Assign at least one layer 3 interface to the virtual router
AnswersB, E

A route is needed to forward traffic.

Why this answer

When configuring a new virtual router on a Palo Alto Networks firewall, you must assign at least one Layer 3 interface to it (Option E) so that the virtual router can participate in routing. Additionally, you must define at least one static route or enable a dynamic routing protocol (Option B) to provide a path for traffic; otherwise, the virtual router has no forwarding information and cannot route packets.

Exam trap

The trap here is that candidates often assume a dynamic routing protocol like OSPF is mandatory, but Palo Alto firewalls allow static routes as a perfectly valid and minimal routing configuration for a virtual router.

93
MCQeasy

A network administrator wants to allow FTP traffic from the internal network (zone: trust) to an external server (zone: untrust) while ensuring that the firewall can inspect the FTP control and data channels. Which security rule configuration is required?

A.Create a rule with service 'tcp-21' and application 'any'
B.Create a rule with application 'ftp' and disable Application Override
C.Create a rule with application 'ftp' and enable 'FTP Alg' in the Application Override settings
D.Create a rule with application 'ftp' and service 'application-default'
AnswerC

FTP ALG ensures the firewall can inspect FTP control and negotiate data channel inspection.

Why this answer

Option C is correct because FTP uses separate control (TCP 21) and data channels, and the firewall must inspect both to enforce security policies. Enabling 'FTP Alg' in the Application Override settings allows the Palo Alto Networks firewall to dynamically open pinholes for the data channel and perform deep inspection of FTP commands, ensuring proper stateful handling of active and passive modes.

Exam trap

The trap here is that candidates often assume simply setting the application to 'ftp' is sufficient, but they overlook the need to explicitly enable FTP Alg to handle the dynamic data channel negotiation required for full inspection.

How to eliminate wrong answers

Option A is wrong because using service 'tcp-21' with application 'any' only matches the control channel port and does not enable application-level inspection of FTP traffic, leaving the data channel unmonitored and potentially blocked. Option B is wrong because disabling Application Override with application 'ftp' would still rely on the default application decoder, but the question specifically requires enabling FTP Alg to handle the data channel; disabling Application Override does not achieve the necessary ALG functionality. Option D is wrong because using service 'application-default' with application 'ftp' relies on the default port-to-application mapping (TCP 21), but without explicit FTP Alg configuration, the firewall may not properly inspect the dynamic data channel ports, especially in passive FTP mode.

94
MCQhard

An administrator wants to allow ping (ICMP) and SSH access on a data interface (e.g., ethernet1/1) for troubleshooting. Which configuration is required?

A.Enable 'Management' profile on the VLAN interface
B.Configure an interface management profile on ethernet1/1
C.Create a security policy allowing ICMP and SSH inbound
D.Enable the service route for ping and SSH
AnswerB

Interface management profiles control which management services are permitted on a data interface.

Why this answer

Interface management profiles control which management services (ping, SSH, HTTP, etc.) are permitted on a data interface.

95
MCQhard

During a security audit, it is discovered that some traffic from the 'guest' zone to the 'untrust' zone is not being inspected by Threat Prevention profiles. The security rule that matches this traffic has a Threat Prevention profile applied. What is a likely reason for the lack of inspection?

A.The Threat Prevention profile is disabled on the rule
B.An earlier rule with action 'allow' is matching the traffic before reaching this rule
C.The traffic uses a service that is not supported by the Threat Prevention profile
D.The security rule action is set to 'deny'
AnswerB

If a higher-priority rule matches and allows traffic without a threat profile, the later rule's profile is not used.

Why this answer

Option D is correct because if the rule's action is 'allow', the threat profile is applied; but if the traffic matches an earlier rule with action 'allow' and no threat profile, the later rule's profile is not applied. Option A is wrong because if the profile is applied, it should be active. Option B is wrong because threat profiles apply to all sessions that match the rule, regardless of service.

Option C is wrong because the action 'deny' would block traffic entirely, not allow without inspection.

96
MCQhard

A company uses Panorama to manage multiple firewalls. They have configured a template to push NTP settings, DNS, and authentication profiles. However, one firewall is not receiving the template settings. Which of the following is the most likely cause?

A.The template was not committed to Panorama
B.The firewall is not in the template's device group
C.The firewall has a local configuration that overrides the template
D.The firewall's management IP is not reachable from Panorama
AnswerD

If unreachable, Panorama cannot push templates.

Why this answer

Panorama pushes template settings to managed firewalls via a management-plane connection. If the firewall's management IP is not reachable from Panorama (e.g., due to network issues, incorrect IP, or routing problems), the template cannot be applied. This is the most direct cause of a firewall not receiving template settings, as Panorama requires reachability to commit and push configurations.

Exam trap

The trap here is confusing device groups with template assignment; candidates often think a firewall must be in a device group to receive template settings, but templates are assigned directly to firewalls or template stacks, not through device groups.

How to eliminate wrong answers

Option A is wrong because if the template was not committed to Panorama, no firewall would receive the settings, not just one specific firewall. Option B is wrong because templates are associated with firewalls directly, not through device groups; device groups are for policy objects, while templates are assigned to firewalls via template stacks. Option C is wrong because local configurations on a firewall can override template settings only if the firewall is configured to use local settings over Panorama (e.g., via 'local-override' flag), but this is a deliberate configuration choice, not a typical cause of failure to receive template settings; the question implies the firewall is not receiving them at all, not that it is overriding them.

97
MCQeasy

A company needs to receive email alerts for critical system events. What is the recommended method to configure email notifications on a Palo Alto Networks firewall?

A.Create an Email server profile under Device > Server Profiles with SMTP settings
B.Configure an SNMP trap receiver to forward events to email
C.Enable ICMP echo replies to trigger email via a separate scripting tool
D.Set up a syslog server that sends email alerts
AnswerA

This is the standard method for email alerts.

Why this answer

Option A is correct because Palo Alto Networks firewalls provide a native Email Server Profile under Device > Server Profiles that allows direct SMTP configuration for sending email alerts. This is the recommended method as it integrates directly with the firewall's alerting system without requiring external tools or services.

Exam trap

The trap here is that candidates may confuse syslog or SNMP as direct email notification methods, but Palo Alto Networks firewalls require a dedicated Email Server Profile for native SMTP-based alerting, and other methods like syslog or SNMP need additional infrastructure to generate emails.

How to eliminate wrong answers

Option B is wrong because SNMP trap receivers forward traps to an SNMP manager, not directly to email; they require additional translation or middleware to convert traps into email messages, which is not a recommended or native method. Option C is wrong because ICMP echo replies are a network diagnostic tool and have no mechanism to trigger email alerts; this would require a separate scripting tool and is not a supported configuration on the firewall. Option D is wrong because syslog servers forward log messages to a centralized logging system, but they do not natively send email alerts; additional configuration or a separate email gateway would be needed to convert syslog messages into emails.

98
MCQhard

A Palo Alto Networks firewall is configured with a security rule that allows 'web-browsing' and has a URL Filtering Profile to block 'malware' sites. However, users can still access known malware URLs. What is the most likely cause?

A.The 'malware' URL Category is not added to the security rule's URL Category list.
B.The 'web-browsing' application is not being identified correctly by App-ID.
C.SSL Decryption is not enabled, so the firewall cannot inspect HTTPS URLs.
D.The URL Filtering Profile is not applied to the correct security rule.
AnswerD

Without proper application, the profile has no effect.

Why this answer

The most likely cause is that the URL Filtering Profile is not applied to the correct security rule. Even if a security rule allows 'web-browsing' and a URL Filtering Profile is configured to block 'malware' sites, the profile must be explicitly attached to that rule in the 'Actions' tab under 'Profile Group' or 'URL Filtering Profile'. If it is applied to a different rule or not applied at all, the firewall will not enforce the URL filtering action, allowing access to known malware URLs.

Exam trap

The trap here is that candidates often assume URL Filtering Profiles are automatically applied when a security rule allows web-browsing, but they must be explicitly attached to the rule, and the question tests this specific configuration requirement.

How to eliminate wrong answers

Option A is wrong because the 'malware' URL Category does not need to be added to the security rule's URL Category list; URL Filtering Profiles operate independently of the rule's category list and are applied via a profile setting. Option B is wrong because the 'web-browsing' application is a standard, well-defined application that App-ID reliably identifies using multiple signatures (e.g., HTTP header analysis, port 80/443 traffic patterns); misidentification is unlikely to be the cause here. Option C is wrong because SSL Decryption is not required for URL Filtering to inspect HTTPS URLs; the firewall can still perform URL categorization based on the Server Name Indication (SNI) field in the TLS handshake or the IP address, even without decryption.

99
Matchingmedium

Match each Palo Alto Networks service to its typical use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management of multiple firewalls

Threat intelligence and analysis

SaaS security for cloud applications

Endpoint detection and response

Why these pairings

These are additional Palo Alto Networks services.

100
MCQhard

A syslog server is only reachable through a specific interface on the firewall. To ensure syslog logs are sent via that interface, which configuration is required?

A.Configure a static route for the syslog server IP
B.Set up a service route for syslog
C.Enable NAT on the syslog traffic
D.Use policy-based forwarding for syslog traffic
AnswerB

Service routes define the source interface and next-hop for management services like syslog.

Why this answer

Service routes in Palo Alto Networks firewalls allow you to specify which source interface or IP address is used for outbound traffic from the firewall itself, such as syslog, SNMP, or authentication. By configuring a service route for syslog, you ensure that syslog messages are sourced from the specific interface that can reach the syslog server, even if the routing table would otherwise choose a different path.

Exam trap

The trap here is that candidates often confuse service routes with static routes or policy-based forwarding, assuming that any routing change will fix the source interface issue, but service routes are the only mechanism that controls the source interface for firewall-originated traffic.

How to eliminate wrong answers

Option A is wrong because configuring a static route for the syslog server IP only influences the path taken by packets destined to that server, but does not control the source interface or source IP used by the firewall when sending syslog messages; the firewall may still use a different source interface based on its default route or management interface. Option C is wrong because enabling NAT on syslog traffic would translate the source IP address but does not guarantee that traffic egresses through a specific interface; NAT operates after the routing decision and does not force interface selection. Option D is wrong because policy-based forwarding (PBF) is used to override routing decisions for traffic passing through the firewall (transit traffic), not for traffic originated by the firewall itself, such as syslog logs.

101
Multi-Selecthard

Which THREE are valid components of Content-ID? (Choose three.)

Select 3 answers
A.Application Filters
B.Application Override
C.URL Filtering
D.File Blocking
E.Data Filtering
AnswersC, D, E

URL Filtering is a Content-ID feature.

Why this answer

Options A, C, and D are correct because Content-ID includes URL Filtering, File Blocking, and Data Filtering. Option B is wrong because Application Override is part of App-ID, not Content-ID. Option E is wrong because Application Filters are part of App-ID.

102
MCQmedium

A company wants to ensure that decryption policies are applied based on the user identity. The firewall is integrated with Active Directory. Which decryption policy matching criteria should be used?

A.Source user
B.URL category
C.Source zone
D.Source IP address
AnswerA

Source user matches authenticated usernames.

Why this answer

Source user allows matching based on user identity from AD.

103
MCQhard

An administrator notices that traffic from a specific IP 10.10.10.5 is not matching the expected security rule that should allow HTTP traffic. The rule uses a source address object defined as '10.10.10.0/24'. Upon investigation, the administrator finds that the traffic is from IP 10.10.10.5, but the rule still does not match. What is the most likely cause?

A.The traffic is being decrypted by a decryption policy before reaching the security rule.
B.The rule's source zone is set to 'DMZ' instead of 'Internal'.
C.A rule above this rule shadows it, blocking the traffic before evaluation.
D.The source address object is defined with a netmask of /32 instead of /24.
AnswerD

Correct. A /32 netmask means the object matches only the single IP 10.10.10.0, not the entire subnet.

Why this answer

The address object uses a /24 netmask, so it should include .5. However, the object might have been defined with a wrong netmask or the rule is not using the object correctly. In this scenario, the issue is that the address object was accidentally set to /32, which matches only .0.

104
MCQmedium

An administrator is configuring a new Palo Alto Networks firewall and wants to ensure that management access to the firewall is secure. Which of the following is a best practice for securing management access?

A.Enable the default admin account with a strong password.
B.Allow HTTP access to the management interface for ease of use.
C.Use a dedicated management interface and restrict access to trusted IP addresses.
D.Enable SNMP with read-write community strings for monitoring.
AnswerC

This limits attack surface and is a best practice.

Why this answer

Option C is correct because using a dedicated management interface physically separates management traffic from data traffic, reducing the attack surface. Restricting access to trusted IP addresses via an access list ensures that only authorized hosts can reach the management plane, which is a foundational security best practice for any network device, including Palo Alto Networks firewalls.

Exam trap

The trap here is that candidates often think a strong password alone is sufficient for the default admin account, but Palo Alto Networks best practices explicitly recommend disabling or renaming the default admin to prevent credential-based attacks against a known username.

How to eliminate wrong answers

Option A is wrong because the default admin account should be disabled or renamed to prevent brute-force attacks against a well-known username, even with a strong password. Option B is wrong because HTTP transmits credentials and data in cleartext, exposing the management interface to interception; HTTPS (TLS) must be used instead. Option D is wrong because SNMP with read-write community strings is a security risk as community strings are sent in cleartext and can allow unauthorized modification of the firewall's configuration or monitoring data.

105
MCQmedium

An admin creates an application group named 'web-apps' that includes 'web-browsing' and 'ssl'. They apply it to a security rule. However, traffic from a client accessing Facebook is being blocked. What is a likely reason?

A.The rule has no source zone
B.The rule's action is set to allow but the application group is configured incorrectly
C.Facebook uses a different application not in the group
D.The application group includes 'ssl' which is not an application
AnswerC

Facebook is identified as 'facebook' or similar, not 'web-browsing'.

Why this answer

Option C is correct because Facebook traffic is identified by the 'facebook-base' application, not by 'web-browsing' or 'ssl'. The application group 'web-apps' only includes 'web-browsing' and 'ssl', so any application not matching those signatures—such as Facebook—will not be allowed by the rule. Palo Alto Networks next-generation firewalls use App-ID to classify traffic based on application signatures, and a security rule only permits traffic that matches the applications explicitly listed in the rule or group.

Exam trap

The trap here is that candidates assume 'web-browsing' and 'ssl' cover all HTTPS traffic, but Palo Alto Networks treats each application (e.g., Facebook, YouTube) as a separate App-ID, so a rule must explicitly include the specific application to allow it.

How to eliminate wrong answers

Option A is wrong because a missing source zone would cause the rule to not apply at all, but the traffic is being blocked, implying the rule is matched and the action is deny (or no allow rule matches). Option B is wrong because if the rule's action were set to allow and the application group were configured incorrectly, the traffic would still be evaluated; the issue is not a misconfiguration of the group but that Facebook's application is simply not in the group. Option D is wrong because 'ssl' is a valid application object in Palo Alto Networks that represents SSL/TLS encrypted traffic; it is correctly included in the group.

106
MCQeasy

A company wants to deploy a new firewall with a management interface on a separate VLAN to ensure management traffic is isolated from production traffic. Which interface type should be used for management access?

A.HA1 interface
B.VLAN interface
C.Ethernet 1/1
D.MGT (Management) interface
AnswerD

The MGT interface is a dedicated management port that can be assigned an IP on a separate VLAN for out-of-band management.

Why this answer

The MGT (Management) interface is a dedicated physical port on Palo Alto Networks firewalls designed specifically for out-of-band management traffic. It operates on a separate routing table and does not participate in production data forwarding, ensuring complete isolation of management traffic from production traffic as required by the scenario.

Exam trap

The trap here is that candidates often confuse the MGT interface with a standard data interface (like Ethernet 1/1) or a logical VLAN interface, assuming any interface can be used for management if an IP address is assigned, but the PCNSA emphasizes the need for out-of-band management isolation via the dedicated MGT port.

How to eliminate wrong answers

Option A is wrong because the HA1 interface is used exclusively for firewall high-availability control plane synchronization (heartbeat and session state), not for general management access. Option B is wrong because a VLAN interface is a logical Layer 3 interface that routes production traffic within a VLAN, and it does not provide out-of-band management isolation; using it would mix management and production traffic. Option C is wrong because Ethernet 1/1 is a standard data port that forwards production traffic and can be configured for in-band management, but it does not offer the dedicated, isolated management plane that the MGT interface provides.

107
MCQhard

Refer to the exhibit. The administrator sees that traffic from 10.10.1.12 is being denied by rule2. Which action should the administrator take to allow this traffic while maintaining security?

A.Add 10.10.1.12 to rule1's source address.
B.Change rule2 to allow.
C.Create a new rule above rule2 that allows the specific traffic with appropriate security profiles.
D.Move rule2 above rule1.
AnswerC

This targets only the denied traffic while maintaining security profiles.

Why this answer

Option D is correct because creating a new rule above rule2 that specifically allows traffic from 10.10.1.12 (or the appropriate subnet) with proper security profiles will permit the traffic without affecting other rules. Option A would allow all traffic matched by rule2, which might be too broad. Option B would cause rule2 to be evaluated before rule1, potentially denying traffic that should be allowed.

Option C would modify rule1's source, possibly allowing unintended traffic.

108
MCQeasy

Which monitoring tool in Palo Alto Networks firewall provides real-time visibility into decryption statistics, such as the number of sessions decrypted and certificate errors?

A.Dashboard
B.Policy Optimizer
C.Log Viewer
D.Reports
AnswerA

The Dashboard includes decryption widgets for real-time monitoring.

Why this answer

The Dashboard in Palo Alto Networks firewall provides real-time visibility into decryption statistics, including the number of sessions decrypted, certificate errors, and decryption failures. This is accessible via the 'Decryption' widget on the Dashboard, which aggregates live data from the decryption engine without requiring log queries or report generation.

Exam trap

The trap here is that candidates often confuse the Dashboard's real-time widgets with the Log Viewer's detailed but historical decryption logs, assuming that any monitoring of decryption must come from logs rather than the live summary view.

How to eliminate wrong answers

Option B (Policy Optimizer) is wrong because it is designed to analyze and recommend security policy rule changes based on traffic patterns, not to display real-time decryption statistics. Option C (Log Viewer) is wrong because it shows historical log entries (e.g., traffic, threat, or decryption logs) but does not provide a real-time aggregated view of decryption metrics like session counts or certificate errors. Option D (Reports) is wrong because it generates scheduled or on-demand historical reports from log data, not live decryption statistics.

109
MCQhard

Refer to the exhibit. A network engineer observes a high number of SSL handshake failures. Which action is most likely to reduce these failures?

A.Disable decryption for traffic using unsupported ciphers.
B.Reissue the forward untrust certificate with a stronger key size.
C.Increase the certificate cache size to accommodate more certificates.
D.Ensure the forward trust certificate is trusted by internal clients.
AnswerD

If clients do not trust the forward trust certificate, SSL handshakes will fail. This is a common cause of handshake failures.

Why this answer

The majority of failures are SSL handshake failures (2000 out of 3000). A common reason is that the forward trust certificate is not trusted by clients, causing the client to reject the connection during the handshake.

110
MCQmedium

A security rule is configured with source zone 'Trust', destination zone 'Untrust', source address 'any', destination address '10.10.10.0/24', application 'ssl', service 'https', action 'allow', log at session end. A user from Trust zone tries to access https://10.10.10.5. The traffic is not matching. What is the most likely reason?

A.The application ssl is not matching because HTTPS traffic may be classified as web-browsing.
B.The action should be 'allow with security profile'.
C.The service https requires TCP 443, but ssl application is used for encryption.
D.The destination address is a specific subnet but the user is accessing a host within that subnet.
AnswerA

HTTPS is web-browsing, not ssl.

Why this answer

Option A is correct; SSL is a VPN/encryption protocol, not HTTPS. HTTPS traffic is typically classified as web-browsing. Option B is wrong because service match works if port matches (TCP 443), but the application mismatch is the issue.

Option C should match. Option D is not needed.

111
MCQhard

A multinational company has deployed a Palo Alto Networks firewall in a datacenter to provide internet access to employees in the corporate office and remote branches via IPsec VPN. The firewall is configured with multiple virtual routers, security zones (trust, untrust, dmz, vpn), and policies for application and URL filtering. Recently, users in the corporate office report that they cannot access a critical cloud-based CRM application (https://crm.company.com) from their workstations, while access from remote VPN users works fine. Other websites are accessible from the corporate office. The IT team has verified that DNS resolution is correct and that the CRM server responds to pings from the firewall's management IP. The security policy includes a rule from trust to untrust that allows application 'crm-base' and 'ssl' with URL category 'crm-sites'. The administrator has checked the traffic logs and sees that sessions are being denied with the reason 'application mismatch'. Which of the following is the most likely cause and correct course of action?

A.Update the application and threat signatures to the latest version, and verify that the application 'crm-base' correctly identifies the CRM traffic. If not, expand the policy to include a fallback application or use custom App-ID.
B.Enable SSL decryption to inspect the traffic and improve application identification.
C.Modify the security policy to allow application 'web-browsing' instead of 'crm-base' and 'ssl'.
D.Check that the destination address object for the CRM server is correct and includes the CDN IPs.
AnswerA

Keeping signatures updated ensures proper application identification. If the application is still not recognized, using a broader application (like 'ssl' with URL category) or creating a custom App-ID can resolve the mismatch.

Why this answer

Option D is correct. The application mismatch indicates the firewall is not identifying the traffic as the expected application. Likely the application signature needs to be updated or the policy should use a broader application.

Option A is wrong because decryption would not cause a mismatch; it would help identify applications. Option B is wrong because the policy is already allowing ssl; changing to web-browsing would be too broad and could bypass intent. Option C is wrong because the destination is correctly set; the issue is application identification.

112
Multi-Selecteasy

Which TWO of the following are types of decryption supported by Palo Alto Networks firewalls? (Choose two.)

Select 2 answers
A.SSH Proxy
B.SSL Forward Proxy
C.SSL Inbound Inspection
D.TLS 1.3 Decryption
E.SSL Reverse Proxy
AnswersB, C

Used for outbound decryption.

Why this answer

SSL Forward Proxy is correct because it allows the firewall to decrypt outbound SSL/TLS traffic from internal clients to external servers, enabling inspection of encrypted content for threats and data filtering. This is a core decryption feature in Palo Alto Networks firewalls, distinct from inbound inspection.

Exam trap

The trap here is that candidates may confuse 'SSL Reverse Proxy' with 'SSL Inbound Inspection' or think 'TLS 1.3 Decryption' is a separate feature, when Palo Alto Networks only defines two decryption types: SSL Forward Proxy and SSL Inbound Inspection.

113
Multi-Selecthard

Which THREE of the following are requirements for configuring High Availability (HA) on Palo Alto Networks firewalls?

Select 3 answers
A.Both firewalls must be from different hardware families
B.The firewalls must be connected via a dedicated HA link using the management port
C.Firewalls in an HA pair must be on the same network segment for failover
D.The firewalls must have layer 2 connectivity for heartbeats
E.Both firewalls must be running the same PAN-OS version
AnswersC, D, E

Both firewalls share the same IP addresses for virtual IPs; they need Layer 2 adjacency.

Why this answer

Option C is correct because for HA failover to function properly, both firewalls must reside on the same Layer 2 network segment. This ensures that when the active firewall fails, the passive firewall can assume the same IP addresses and MAC addresses without requiring ARP updates or routing changes, enabling seamless traffic failover.

Exam trap

The trap here is that candidates often confuse the dedicated HA link requirement with the management port, incorrectly assuming the MGT port can be used for HA heartbeats, when in fact only a dedicated data-plane interface or HA-specific port is supported.

114
MCQeasy

A network administrator needs to block traffic to a specific external website. Which object type should be used in the security policy to define the destination?

A.Schedule
B.Service
C.Address
D.Tag
AnswerC

Address objects define IP addresses or FQDNs, making them suitable for specifying a destination.

Why this answer

To block traffic to a specific external website in a Palo Alto Networks security policy, you must define the destination using an Address object. Address objects can represent IP addresses, FQDNs, or URL categories, and they are referenced in the Destination field of a security rule to match traffic destined for that target. This allows the firewall to enforce the block action against the specified external site.

Exam trap

The trap here is that candidates often confuse the purpose of Service objects (thinking they define the destination website) because they associate 'service' with web traffic, but Service objects only define protocol/port, not the destination host or IP.

How to eliminate wrong answers

Option A is wrong because a Schedule object defines time-based conditions for when a policy is active, not the destination of traffic. Option B is wrong because a Service object specifies the protocol and port (e.g., TCP/443) used by the traffic, not the destination address. Option D is wrong because a Tag is a metadata label used for grouping and filtering objects in the management interface, not a match criterion for traffic destinations.

115
Multi-Selecteasy

Which three of the following services are commonly permitted on the management interface? (Choose three.)

Select 3 answers
A.HTTP
B.Ping
C.HTTPS
D.Telnet
E.SSH
AnswersB, C, E

Ping is commonly permitted for network reachability testing.

Why this answer

Ping (ICMP Echo) is commonly permitted on the management interface because it allows network administrators to verify the interface's reachability and responsiveness without exposing management services to unnecessary risk. While ICMP is not a management protocol per se, it is a fundamental troubleshooting tool that is typically allowed on the management plane to test connectivity to the management IP address.

Exam trap

Palo Alto Networks often tests the misconception that HTTP and Telnet are acceptable for management access because they are 'simpler' or 'legacy' protocols, but the PCNSA exam emphasizes that only encrypted protocols (HTTPS, SSH) and basic troubleshooting (ping) are permitted on the management interface.

116
Multi-Selecteasy

An administrator wants to enforce that only certain approved applications can be used on the network. Which TWO features should be configured?

Select 2 answers
A.WildFire
B.User-ID
C.Application-ID
D.URL Filtering
E.Content-ID
AnswersC, E

Allows identification and enforcement based on application signatures.

Why this answer

Options A and C are correct. Application-ID identifies and controls applications, while Content-ID controls file transfers and data patterns. User-ID controls user access, URL filtering controls web categories, WildFire analyzes unknown files.

117
MCQmedium

A company uses Panorama to manage multiple firewalls. The administrator wants changes made in Panorama to be automatically pushed to managed firewalls without manual intervention. Which setting should be enabled?

A.Scheduled Config Update
B.Auto Push on Panorama
C.Schedule Commit
D.Commit on Startup
E.Auto Commit in Panorama Push Settings
AnswerE

This setting automatically pushes committed changes to managed firewalls.

Why this answer

Option E is correct because the 'Auto Commit on Panorama Push Settings' feature enables Panorama to automatically commit and push configuration changes to managed firewalls immediately after an administrator commits on Panorama, eliminating the need for manual intervention. This setting is specifically designed for automated deployment workflows where changes must be propagated without delay.

Exam trap

The trap here is that candidates confuse 'Auto Commit on Panorama Push Settings' with 'Scheduled Config Update' or 'Schedule Commit', assuming any scheduling or automation feature will suffice, but only the specific Panorama push setting provides automatic propagation upon commit.

How to eliminate wrong answers

Option A is wrong because 'Scheduled Config Update' is a feature for scheduling periodic configuration backups or updates, not for automatically pushing changes upon commit. Option B is wrong because 'Auto Push on Panorama' is not a valid setting in Panorama; the correct term is 'Auto Commit on Panorama Push Settings'. Option C is wrong because 'Schedule Commit' allows scheduling a commit operation at a specific time but does not automatically push the committed changes to managed firewalls.

Option D is wrong because 'Commit on Startup' is not a Panorama feature; it refers to a firewall boot-time behavior where the startup configuration is committed, unrelated to Panorama push automation.

118
MCQmedium

Refer to the exhibit. An administrator attempts to ping the firewall's management IP (192.168.1.1) from a host on the same subnet (192.168.1.0/24) but receives no response. What is the most likely cause?

A.The host is on a different VLAN than the management subnet
B.The management interface is down
C.The firewall is in HA passive state
D.Ping is disabled on the management interface by default
AnswerD

ICMP echo replies are disabled by default for security.

Why this answer

By default, the management interface on a Palo Alto Networks firewall does not respond to ICMP echo requests (pings) unless the 'ping' service is explicitly enabled under the interface's management profile. This is a security measure to reduce the attack surface. The administrator must configure a management profile that permits ping and apply it to the management interface for ICMP responses to work.

Exam trap

The trap here is that candidates assume a firewall's management interface will respond to ping by default, similar to a router or switch, but Palo Alto Networks intentionally disables ICMP echo on the management interface to enforce least-privilege access.

How to eliminate wrong answers

Option A is wrong because the host and the management IP are on the same subnet (192.168.1.0/24), so VLAN mismatch would not affect Layer 2 connectivity within the same broadcast domain; the firewall's management interface is typically on a separate VLAN only if configured, but here the subnet is identical. Option B is wrong because if the management interface were down, the host would likely receive no ARP reply or connectivity at all, but the question states the administrator attempts to ping and receives no response, which could also occur with a functional interface that simply blocks ICMP; the interface being down is a more severe condition that would prevent any traffic, not just ping. Option C is wrong because an HA passive state does not inherently disable ICMP responses on the management interface; the passive firewall's management interface remains operational for administrative access unless specifically configured otherwise, and HA state does not affect default ping behavior.

119
MCQmedium

A network administrator notices that traffic from the internal zone to the external zone is being denied, even though a security policy allowing all outbound traffic exists. The internal zone is configured with a zone protection profile that has Flood Protection enabled. What is the most likely cause of the denial?

A.The security policy is set to deny due to an implicit deny rule.
B.The zone protection profile has Flood Protection thresholds set too low, causing legitimate traffic to be dropped.
C.The security policy has a logging profile attached that is blocking traffic.
D.The security policy has a schedule configured that is currently outside the allowed time.
AnswerB

Flood Protection thresholds can drop traffic that exceeds defined limits, even if the traffic is legitimate.

Why this answer

Option A is correct because the zone protection profile's Flood Protection can erroneously block legitimate traffic if threshold values are too low. Option B is wrong because logging profiles do not affect traffic flow. Option C is wrong because schedule settings would either allow or deny traffic at certain times, but the policy is set to allow always.

Option D is wrong because the zone protection profile with Flood Protection is the most likely cause, not the security policy itself.

120
MCQmedium

Refer to the exhibit. A security analyst wants to ensure that all HTTPS traffic from internal users to the internet is decrypted for inspection. However, traffic from the 'corp-users' group is being blocked instead of decrypted. Which configuration change should be made?

A.Add a new rule above rule 1 to decrypt corp-users traffic.
B.Move rule 2 above rule 1.
C.Change rule 4 to 'allow' instead of 'block'.
D.Change rule 2 to use 'any' for source user.
AnswerB

Currently rule 1 (no-decrypt) is first and matches all internal to external traffic, so traffic from corp-users matches rule 1 and is not decrypted. Then rule 4 blocks undecrypted traffic. Moving rule 2 above rule 1 ensures that corp-users traffic matches the decrypt rule first.

Why this answer

The policy is evaluated top-down. Rule 1 (no-decrypt) matches all internal to external traffic, so even corp-users hit rule 1 first. Then rule 4 blocks any undecrypted traffic.

Moving rule 2 above rule 1 ensures that corp-users HTTPS traffic is decrypted first.

121
MCQmedium

Refer to the exhibit. An administrator notices that some HTTPS sessions are not being decrypted. Which configuration change would address the most common cause of decryption failures shown?

A.Enable 'allow expired certificates' in the SSL decryption profile.
B.Configure a forward trust certificate that is valid and trusted.
C.Increase the session timeout for decryption.
D.Enable support for SSLv3 in the decryption profile.
AnswerA

The warning indicates an expired server certificate. Enabling 'allow expired certificates' will permit decryption even if the server certificate is expired.

Why this answer

The log shows a warning about an expired server certificate causing decryption failure. By enabling 'allow expired certificates' in the decryption profile, the firewall will continue to decrypt traffic even if the server certificate is expired.

122
MCQhard

A large enterprise operates multiple data centers with a Palo Alto Networks firewall pair in each data center in active/passive HA. The firewalls are managed by Panorama. Recently, after a power outage in Data Center A, both firewalls in that data center came back online but are not passing traffic. The network team confirms that the switches and routers are operational. The Panorama administrator sees that both firewalls are connected and show green in the Managed Devices tab. However, the active firewall in Data Center A shows "HA state: passive" and the other firewall also shows "passive". The administrator suspects a configuration issue. What is the most likely cause and corrective action?

A.Both firewalls have the same priority and no preemptive is enabled; configure different priorities and enable preemptive.
B.The HA firewall link is down; check and reconnect the Layer 2 link between the firewalls.
C.The HA configuration is missing a heartbeat interface; add a dedicated heartbeat interface.
D.The preemptive settings are misconfigured; change the priority to make one firewall active.
AnswerA

Equal priority with no preemptive causes both to remain passive. Differing priorities with preemptive allow one to become active.

Why this answer

In an active/passive HA pair, if both firewalls show 'passive', it typically means they cannot determine which should be active. This occurs when both have the same priority and preemptive is disabled, so neither can claim the active role after a reboot. Configuring different priorities and enabling preemptive ensures one firewall becomes active based on its higher priority (lower numerical value).

Exam trap

The trap here is that candidates often assume a missing heartbeat interface or a link failure causes both firewalls to be passive, but in reality those scenarios cause split-brain (both active) or HA not forming, not both passive.

How to eliminate wrong answers

Option B is wrong because the HA firewall link being down would cause both firewalls to show as 'active' (split-brain), not both as 'passive'. Option C is wrong because a missing heartbeat interface would prevent HA formation entirely, but the firewalls are already connected and showing green in Panorama, indicating HA is established. Option D is wrong because simply changing the priority without enabling preemptive would not force an election after both firewalls reboot simultaneously; preemptive must be enabled to trigger a role change when priorities differ.

123
Multi-Selecteasy

A network administrator wants to collect and analyze traffic logs from a Palo Alto firewall. Which two methods can be used? (Choose two.)

Select 2 answers
A.Use the CLI command 'show log traffic'.
B.Use SNMP to retrieve logs.
C.Configure Panorama to collect logs.
D.Export logs to a CSV file from the GUI.
E.View logs in the Monitor tab.
AnswersC, D

Panorama acts as a central log collector.

Why this answer

Panorama is the centralized management platform for Palo Alto Networks firewalls, capable of collecting logs from multiple firewalls for aggregation, analysis, and reporting. Option C is correct because Panorama can be configured to receive traffic logs from managed firewalls, enabling centralized log collection and analysis without relying on individual firewall storage or manual export.

Exam trap

The trap here is that candidates confuse local log viewing (Monitor tab or CLI) with log collection methods, failing to recognize that 'collection' implies external aggregation or export, not just on-device display.

124
MCQeasy

A security administrator wants to inspect decrypted traffic for threats. What is the minimum set of features required?

A.SSL Decryption and Threat Prevention
B.Threat Prevention only
C.SSL Decryption only
D.SSL Decryption and URL Filtering
AnswerA

Both are needed: decryption to see the content, threat prevention to detect threats.

Why this answer

To inspect decrypted traffic for threats, you must first decrypt the traffic using SSL Decryption, which terminates the SSL/TLS session and allows the firewall to examine the plaintext payload. Then, Threat Prevention (which includes IPS, antivirus, and anti-spyware signatures) can analyze that decrypted content for malicious patterns. Without SSL Decryption, Threat Prevention only sees encrypted traffic and cannot inspect the payload; without Threat Prevention, SSL Decryption alone provides no threat detection.

Therefore, both features are required.

Exam trap

The trap here is that candidates often think SSL Decryption alone is sufficient for security, forgetting that decryption is just an enabler and not a security feature itself, or they assume URL Filtering can inspect content, which it cannot.

How to eliminate wrong answers

Option B is wrong because Threat Prevention alone cannot inspect encrypted traffic — it requires decrypted payloads to apply signatures, so it would miss threats in HTTPS sessions. Option C is wrong because SSL Decryption only decrypts traffic but does not perform any threat inspection; it merely makes the content visible but takes no action on threats. Option D is wrong because URL Filtering categorizes and controls access based on URLs, not threat inspection; it does not analyze decrypted content for malware or exploits, so it cannot replace Threat Prevention.

125
MCQeasy

A company wants to ensure that all traffic from the internet to their internal web server is inspected for threats. Which configuration component is essential to achieve this?

A.Destination NAT policy to translate the public IP to the internal server.
B.SSL decryption policy to decrypt traffic to the web server.
C.A security policy rule that allows traffic from the internet zone to the DMZ zone and has a threat prevention profile attached.
D.A QoS policy to prioritize web traffic.
AnswerC

The security rule with a threat profile enables inspection of allowed traffic.

Why this answer

Option C is correct because a security policy rule that allows traffic from the internet zone to the DMZ zone with a threat prevention profile attached is the essential component to inspect all traffic from the internet to the internal web server for threats. The threat prevention profile enables the firewall to perform intrusion prevention system (IPS) and antivirus inspection on the allowed traffic, ensuring malicious content is blocked. Without this profile, traffic would be permitted but not inspected for threats, failing the requirement.

Exam trap

The trap here is that candidates often confuse the necessity of NAT or SSL decryption as the primary component for threat inspection, overlooking that the security policy rule with a threat prevention profile is the actual enforcement point for inspecting traffic.

How to eliminate wrong answers

Option A is wrong because a Destination NAT policy translates the public IP to the internal server's private IP, which is necessary for routing but does not perform any threat inspection; it only changes the destination address. Option B is wrong because SSL decryption policy is only required if the web server uses HTTPS to decrypt encrypted traffic for inspection, but the question does not specify HTTPS, and even with decryption, a threat prevention profile must still be attached to the security rule to inspect the decrypted content. Option D is wrong because a QoS policy prioritizes web traffic for bandwidth management but does not inspect traffic for threats; it only affects traffic queuing and scheduling.

126
Multi-Selectmedium

A security administrator is reviewing best practices for creating security policies on a Palo Alto Networks firewall. Which two of the following are recommended practices?

Select 2 answers
A.Use security policy tags to group rules.
B.Use the 'any' zone for source and destination to reduce rule count.
C.Disable logging on rules that permit traffic to reduce log volume.
D.Use security profile groups to apply multiple profiles.
E.Place more specific rules at the top of the rulebase.
AnswersD, E

Security profile groups simplify management by applying a consistent set of threat prevention profiles across multiple rules, ensuring effective security coverage.

Why this answer

Security profile groups allow administrators to bundle multiple security profiles (e.g., antivirus, anti-spyware, vulnerability protection, URL filtering) into a single object. This simplifies policy management, ensures consistent enforcement, and reduces the risk of misconfiguration by applying a predefined set of protections to a rule.

Exam trap

The trap here is that candidates often confuse security policy tags (which are metadata for filtering/reporting) with actual rule grouping mechanisms, or they mistakenly think disabling logging on permit rules is a valid optimization technique, when in fact it violates best practices for auditability and threat detection.

127
MCQmedium

A security administrator notices that traffic from a specific subnet is not being logged in the Traffic logs, although the traffic is allowed by a security policy rule. Which configuration setting should be verified?

A.Zone Protection profile is set to 'Log at Session Start'
B.The Log Forwarding profile is not applied
C.The rule has 'Log at Session End' disabled
D.Disable Server Response Inspection on the rule
AnswerC

If 'Log at Session End' is not checked, traffic matching the rule will not be logged.

Why this answer

Option C is correct because the 'Log at Session End' setting on a security policy rule controls whether traffic matching that rule generates a Traffic log entry when the session closes. If this setting is disabled, the firewall will allow the traffic per the rule but will not record it in the Traffic logs, which matches the scenario where traffic is permitted but not logged.

Exam trap

The trap here is that candidates often confuse Log Forwarding profiles with the actual logging toggle on the rule, assuming that applying a forwarding profile is required for logging to occur, when in fact the rule's own 'Log at Session End' setting is the primary control for local Traffic log generation.

How to eliminate wrong answers

Option A is wrong because Zone Protection profiles are applied to zones, not individual rules, and their 'Log at Session Start' setting logs session initiation events, not the traffic flow itself; disabling it would not prevent Traffic logs from being generated by the rule. Option B is wrong because a Log Forwarding profile is used to send logs to external systems (e.g., Panorama, syslog), not to enable or disable logging on the rule itself; traffic will still be logged locally even without a forwarding profile. Option D is wrong because Disable Server Response Inspection affects how the firewall handles server responses (e.g., for decryption or threat prevention), not whether traffic is logged; it has no impact on Traffic log generation.

128
Multi-Selectmedium

When creating a security policy to block malware, which THREE profile types should be applied for comprehensive protection?

Select 3 answers
A.Antivirus
B.URL Filtering
C.Vulnerability Protection
D.File Blocking
E.Anti-Spyware
AnswersA, C, E

Scans for known viruses and malware.

Why this answer

Options A, B, and C are correct. Antivirus blocks known malware, Anti-Spyware blocks spyware and grayware, and Vulnerability Protection blocks exploit attempts. URL Filtering is for categories, File Blocking blocks specific files.

129
MCQmedium

A network administrator wants to monitor HTTPS traffic without decrypting it, but still wants to identify the applications being used. Which feature can be used to identify HTTPS applications without decryption?

A.SSL Decryption Mirror
B.App-ID with SSL protocol detection
C.SSL Forward Proxy
D.URL Filtering
AnswerB

App-ID can often identify applications in encrypted traffic without decryption.

Why this answer

App-ID with SSL protocol detection allows the firewall to identify HTTPS applications by inspecting the Server Name Indication (SNI) field in the TLS handshake and the certificate common name, without decrypting the traffic. This enables application identification while preserving encryption, meeting the requirement to monitor HTTPS traffic without decryption.

Exam trap

The trap here is that candidates often confuse SSL Forward Proxy (which requires decryption) with SSL protocol detection (which does not), or assume URL Filtering alone can identify applications within encrypted traffic, but it only identifies the destination URL, not the application itself.

How to eliminate wrong answers

Option A is wrong because SSL Decryption Mirror is not a standard feature; it likely confuses with SSL Forward Proxy decryption or traffic mirroring, which still requires decryption to inspect content. Option C is wrong because SSL Forward Proxy is a decryption method that terminates and re-encrypts HTTPS traffic, requiring decryption to inspect the payload, which violates the 'without decrypting it' requirement. Option D is wrong because URL Filtering relies on URL categories and can identify destinations, but it cannot identify the specific application (e.g., Facebook vs.

YouTube) within HTTPS traffic without decryption or additional metadata.

130
Multi-Selectmedium

Which TWO statements about External Dynamic Lists (EDLs) are true?

Select 2 answers
A.EDLs can be used in security policy source and destination fields.
B.EDLs have a fixed refresh interval that cannot be changed.
C.EDLs must be manually updated by an administrator.
D.EDLs support both IP addresses and URLs.
E.EDLs allow the administrator to add individual IPs directly via the GUI.
AnswersA, D

EDLs can be used as address objects in policies.

Why this answer

Option A is correct because External Dynamic Lists (EDLs) can be used as source or destination objects in security policy rules. This allows the firewall to match traffic against a regularly updated list of IP addresses or URLs hosted externally, enabling dynamic threat intelligence integration without manual rule changes.

Exam trap

Palo Alto Networks often tests the misconception that EDLs require manual updates or have fixed refresh intervals, when in fact they are fully automated and configurable, and that EDLs can only be used for IP addresses, not URLs (though they support both).

131
MCQmedium

Refer to the exhibit. The administrator notices that traffic from 192.168.1.100 to 10.1.1.1 using HTTPS is being blocked. What is the most likely cause?

A.The source IP is not in the range.
B.The destination is in 10.0.0.0/8 but the policy is missing service TCP/443.
C.The rule is not committed.
D.The application is web-browsing, but HTTPS uses ssl application.
AnswerD

HTTPS uses ssl application, not web-browsing.

Why this answer

The exhibit shows a security policy rule that allows 'web-browsing' application traffic. HTTPS traffic uses the 'ssl' application, not 'web-browsing'. Since the rule's application match is set to 'web-browsing', it does not match HTTPS sessions, causing them to be blocked by the implicit deny rule at the end of the policy.

Exam trap

Palo Alto Networks often tests the misconception that allowing a port (TCP/443) is sufficient to permit HTTPS traffic, but in Palo Alto firewalls, the application must also be explicitly allowed in the rule.

How to eliminate wrong answers

Option A is wrong because the source IP 192.168.1.100 is within the specified source range of 192.168.1.0/24. Option B is wrong because the destination 10.1.1.1 is within 10.0.0.0/8, and the rule does include service TCP/443 (HTTPS) — the issue is the application mismatch, not a missing service. Option C is wrong because the rule is shown in the committed configuration; the problem is a logical misconfiguration, not an uncommitted change.

132
MCQhard

A company has deployed a pair of PA-5250 firewalls in an Active/Passive HA configuration. The management network uses a separate subnet with addresses 10.0.0.0/24. The active firewall's management IP is 10.0.0.1, passive is 10.0.0.2. They have a virtual router configured with static routes. The HA configuration uses HA1 (backplane) for heartbeat and HA2 for session sync. After a power failure, both firewalls reboot. The active firewall comes up first and becomes active. The passive firewall later joins, but fails to become passive; it remains in 'non-functional' state. The administrator observes the following: - HA1 link is up on both firewalls. - HA2 link shows 'waiting for HA2 link' on the active. - The passive firewall's management IP is reachable. - The active firewall shows 'peer unreachable' in HA status. What is the most likely cause?

A.The management interface on the passive is misconfigured
B.The HA1 configuration is missing the peer's management IP
C.The HA2 cable is faulty or misconfigured
D.The passive firewall has a different PAN-OS version
AnswerC

HA2 being in 'waiting for HA2 link' indicates no Layer 1 connectivity.

Why this answer

The active firewall shows 'waiting for HA2 link' and 'peer unreachable' despite HA1 being up and the passive management IP being reachable. This indicates that the HA2 link, which is responsible for session synchronization and state propagation, is not functioning. Since HA2 is required for the passive firewall to transition to a passive state, a faulty or misconfigured HA2 cable prevents the passive firewall from becoming operational, leaving it in a 'non-functional' state.

Exam trap

The trap here is that candidates often confuse HA1 and HA2 roles, assuming that if HA1 is up and management is reachable, the HA pair should form, but they overlook that HA2 is mandatory for the passive firewall to exit the 'non-functional' state and become passive.

How to eliminate wrong answers

Option A is wrong because the passive firewall's management IP is reachable, which means the management interface is correctly configured and operational; a misconfigured management interface would prevent reachability. Option B is wrong because the HA1 configuration missing the peer's management IP would cause HA1 heartbeat failure, but the HA1 link is up and the active firewall shows 'peer unreachable' specifically due to HA2 issues, not HA1. Option D is wrong because a different PAN-OS version would typically cause a version mismatch error or prevent HA formation entirely, not specifically result in 'waiting for HA2 link' and 'peer unreachable' while HA1 is up.

133
MCQhard

A firewall's management interface is configured with a public IP for remote management. After a firmware upgrade, HTTP access returns a 403 Forbidden error, but HTTPS works. What is the most likely cause?

A.HTTP certificate expired
B.HTTP is disabled by default after upgrade
C.Management profile HTTP permission revoked
D.Browser caching issue
E.HTTP port conflict
AnswerC

The management profile controls access; HTTP access may have been disabled during the upgrade.

Why this answer

Option C is correct because the management profile on a Palo Alto Networks firewall controls which services (HTTP, HTTPS, SSH, etc.) are allowed on each interface. After a firmware upgrade, the management profile may reset or have its HTTP permission explicitly revoked, causing HTTP access to return a 403 Forbidden error while HTTPS continues to work. The 403 error indicates the firewall is receiving the request but denying it due to policy, not a certificate or connectivity issue.

Exam trap

The trap here is that candidates often confuse a 403 Forbidden error with a certificate or connectivity problem, when in fact it indicates the firewall is actively rejecting the HTTP request due to a management profile permission being revoked.

How to eliminate wrong answers

Option A is wrong because an expired HTTP certificate would cause a browser security warning or connection failure, not a 403 Forbidden error; HTTP does not use certificates by default. Option B is wrong because HTTP is not disabled by default after a firmware upgrade; the upgrade preserves the existing management profile settings unless explicitly changed. Option D is wrong because a browser caching issue would typically cause stale content or a 404 error, not a 403 Forbidden response from the firewall itself.

Option E is wrong because an HTTP port conflict would prevent the service from starting or cause a connection refusal, not a 403 Forbidden error after the connection is established.

134
MCQeasy

An administrator wants to ensure that all traffic from the engineering zone to the server zone is logged, but only when a session is established. Which log setting should be configured in the security rule?

A.Log at both session start and end
B.No log
C.Log at session end
D.Log at session start
AnswerD

Logging at session start captures the session establishment event.

Why this answer

Option B is correct because logging at session start logs the session creation, which is when it is established. Option A is wrong because end logs only at termination. Option C is wrong because both start and end would log twice.

Option D is wrong because no logging is not useful for auditing.

135
MCQmedium

A decryption policy is configured to decrypt traffic to a specific external server. The admin notices that the traffic is not being decrypted. What is the first step in troubleshooting?

A.Verify that the decryption certificate is valid
B.Disable the SSL/TLS service profile
C.Check the traffic log to see if the policy is matched
D.Ensure that the server's certificate is imported
AnswerC

Traffic log shows whether the decryption policy was applied to the session.

Why this answer

The first step in troubleshooting a decryption policy that is not decrypting traffic is to check the traffic log to confirm whether the policy is actually being matched. If the traffic does not match the decryption rule, no decryption will occur regardless of certificate validity or other settings. This aligns with the systematic troubleshooting approach of verifying policy application before investigating deeper configuration issues.

Exam trap

The trap here is that candidates often jump to certificate issues (A or D) because SSL/TLS decryption heavily involves certificates, but the most fundamental check is whether the policy is even being triggered — a classic 'policy before crypto' troubleshooting principle.

How to eliminate wrong answers

Option A is wrong because verifying the decryption certificate is a secondary step; if the policy is not matched, the certificate is never used. Option B is wrong because disabling the SSL/TLS service profile would break decryption entirely, not help diagnose why an existing policy is not being applied. Option D is wrong because importing the server's certificate is not required for outbound decryption (forward proxy) — the firewall generates its own certificate for the client, and the server's certificate is validated but not imported.

136
MCQeasy

Refer to the exhibit. An administrator notices that SSH traffic from the trust zone to the untrust zone is being blocked. The administrator expected it to be allowed by rule 2. What is the most likely reason?

A.Rule 2's application is set to 'ssh' but the service is not 'application-default'
B.Rule 1 matches the traffic and is evaluated before rule 2
C.Rule 1 is configured with action 'allow'
D.Rule 2's source zone is incorrectly set to 'dmz'
AnswerB

Since rule 1 has 'any' zones and is higher priority, it blocks SSH before rule 2 is reached.

Why this answer

Option A is correct because rule 1 has source and destination zones 'any' and matches all SSH traffic, and it is placed before rule 2. Option B is wrong because the action of rule 1 is deny, not allow. Option C is wrong because the rule explicitly denies SSH.

Option D is wrong because the rule 2 does allow SSH but never gets evaluated due to rule 1.

137
MCQhard

During troubleshooting, a firewall shows a large number of SSL decryption failures with error 'certificate_unknown'. The firewall is configured for forward proxy decryption. What is the most likely cause?

A.The client does not trust the firewall's CA certificate.
B.The server certificate is expired.
C.The firewall cannot reach the CRL or OCSP responder to validate the server certificate.
D.The decryption policy has an incorrect source zone.
AnswerC

This is a common cause of 'certificate_unknown' errors.

Why this answer

In forward proxy decryption, the firewall must validate the server certificate against a Certificate Revocation List (CRL) or via OCSP to ensure it hasn't been revoked. A 'certificate_unknown' error specifically indicates that the firewall cannot determine the revocation status of the server certificate, often because it cannot reach the CRL distribution point or OCSP responder. This is distinct from a certificate that is simply expired or untrusted by the client.

Exam trap

Palo Alto Networks often tests the distinction between client-side trust issues (option A) and server-side validation failures (option C), leading candidates to incorrectly assume the client must trust the firewall's CA when the error actually stems from the firewall's inability to verify the server certificate's revocation status.

How to eliminate wrong answers

Option A is wrong because the client trusting the firewall's CA certificate is required for the client to accept the decrypted connection, but a 'certificate_unknown' error occurs during the firewall's validation of the server certificate, not during client-side trust checks. Option B is wrong because an expired server certificate would produce a different error, such as 'certificate_expired' or 'certificate_not_yet_valid', not 'certificate_unknown'. Option D is wrong because an incorrect source zone in the decryption policy would cause traffic to bypass decryption or be dropped, not generate a specific SSL decryption failure with the 'certificate_unknown' error.

138
MCQmedium

A financial services company uses a Palo Alto Networks firewall to protect its customer data. They have a requirement to block all file transfers that contain credit card numbers (PCI compliance). The firewall has Data Filtering profiles configured to detect credit card patterns. However, the security team notices that some file transfers containing credit card numbers are not being blocked. The traffic logs show the applications are identified correctly, and the security rule has the Data Filtering profile attached. The Data Filtering profile is configured with a rule to block 'Credit Card Numbers' with a threshold of 1. What could be the issue?

A.The Data Filtering profile does not include the specific applications that are transferring files.
B.The Data Filtering profile is not attached to the security rule.
C.The security rule is not logging the Data Filtering alerts.
D.SSL decryption is not enabled for the traffic.
AnswerA

Data Filtering profiles must specify which applications to inspect; if the application is not listed, no filtering occurs.

Why this answer

Option A is correct because Data Filtering profiles are applied per application. If the specific applications used for file transfers (e.g., custom or less common apps) are not selected within the Data Filtering profile, the firewall will not inspect those transfers for credit card numbers, even if the security rule has the profile attached. The profile must explicitly include the applications to enforce the data filtering rules.

Exam trap

The trap here is that candidates assume attaching a Data Filtering profile to a security rule automatically applies it to all traffic matching the rule, but the profile itself has an application filter that must include the specific applications being used for the transfer.

How to eliminate wrong answers

Option B is wrong because the question states the security rule has the Data Filtering profile attached, so this is not the issue. Option C is wrong because logging of Data Filtering alerts is not required for the blocking action to occur; the profile will block regardless of logging settings. Option D is wrong because SSL decryption is not a prerequisite for Data Filtering to inspect traffic; Data Filtering can inspect unencrypted payloads, and if the traffic is encrypted, decryption would be needed, but the question does not indicate the traffic is encrypted, and the core issue is the application scope within the profile.

139
MCQmedium

Refer to the exhibit. A user in the trust zone attempts to access https://www.example.com. The traffic matches rule 2 first. What is the expected behavior?

A.The traffic is allowed due to the implicit allow at the end.
B.The traffic is denied because of rule 2.
C.The traffic is allowed because rule 3 allows web-browsing.
D.The traffic is allowed because no explicit deny is configured.
AnswerB

Rule 2 matches SSL application and has a deny action.

Why this answer

Option B is correct. HTTPS traffic is identified as application ssl, which matches rule 2 (deny). Since rule 2 has no schedule, it matches immediately, and the traffic is denied.

Rule 3 (allow for web-browsing) is not evaluated because rule 2 matched first. Option A is wrong because rule 2 matches. Option C is wrong because there is a deny rule.

Option D is wrong because the session is not allowed; it is denied.

140
Multi-Selecteasy

An administrator is troubleshooting decryption-related connectivity issues. Which two log types should be examined to gather information about decryption actions and errors?

Select 2 answers
A.System logs
B.URL Filtering logs
C.Decryption logs
D.Threat logs
E.Traffic logs
AnswersC, E

Decryption logs offer detailed information such as decryption reason, cipher, and certificate details.

Why this answer

Decryption logs are specifically designed to record details about SSL/TLS decryption actions, including handshake failures, certificate validation errors, and decryption policy matches. When troubleshooting connectivity issues related to decryption, these logs provide the most direct insight into why a session might be blocked or failing due to decryption errors.

Exam trap

Palo Alto Networks often tests the distinction between Traffic logs (which show the result of decryption, such as a deny action) and Decryption logs (which show the decryption process itself), leading candidates to mistakenly choose Traffic logs as the primary source for decryption errors.

141
Multi-Selecthard

A firewall administrator is troubleshooting a situation where traffic from the 'Engineering' zone (source zone) to the 'Servers' zone (destination zone) is being allowed, but the desired behavior is to block it. The administrator runs 'show running security-policy' and sees the following rules in order: Rule1: from Engineering to Servers allow; Rule2: from Engineering to Servers deny; Rule3: from any to Servers allow. Which TWO statements are true regarding policy evaluation?

Select 2 answers
A.The traffic will be allowed because Rule1 matches before Rule2.
B.To block the traffic, you can set the source zone in Rule2 to 'Negate' Engineering.
C.Moving Rule2 to the end of the rulebase will ensure it blocks the traffic.
D.The administrator should move Rule2 above Rule1 to block the traffic.
E.The firewall evaluates all rules and applies the most restrictive action (deny).
AnswersA, D

First-match logic: Rule1 matches first, so the action is allow; Rule2 is not evaluated.

Why this answer

Option A is correct because Palo Alto Networks firewalls use first-match policy evaluation: the first rule that matches the traffic's source zone, destination zone, source/destination IP, application, and user determines the action. Since Rule1 (allow) appears before Rule2 (deny), traffic from Engineering to Servers matches Rule1 first and is allowed, regardless of later deny rules.

Exam trap

The trap here is that candidates often assume firewalls use a 'most restrictive wins' model (like some ACL implementations) rather than the first-match model used by Palo Alto Networks, leading them to incorrectly select Option E.

142
MCQeasy

What is the primary benefit of using App-ID in a security policy instead of relying solely on port-based rules?

A.It increases firewall throughput.
B.It allows enforcement based on application identity, even if the application uses non-standard ports.
C.It reduces the number of security rules needed.
D.It limits traffic to HTTP and HTTPS only.
AnswerB

This is the core advantage of App-ID.

Why this answer

Option C is correct because App-ID identifies the actual application regardless of port, allowing policy enforcement based on application identity. Option A is wrong because App-ID does not simplify rule management by itself. Option B is wrong because performance may be marginally impacted.

Option D is wrong because App-ID is not only for HTTP traffic.

143
MCQeasy

An administrator needs to provide internet access to employees while blocking access to social media sites. Which feature should be used to identify and block social media traffic?

A.URL Filtering profile to block the Social Networking category.
B.SSL Decryption policy to decrypt traffic to social media.
C.QoS policy to limit bandwidth to social media sites.
D.File blocking profile to block executable files from social media.
AnswerA

URL Filtering can block entire categories of websites.

Why this answer

A URL Filtering profile allows the administrator to block access to specific categories of websites, such as Social Networking. By applying this profile to a security policy rule that governs internet access, the firewall can identify and block HTTP/HTTPS traffic to social media sites based on their URL category, without needing to decrypt or inspect the content.

Exam trap

The trap here is that candidates may confuse SSL Decryption (which enables visibility into encrypted traffic) with the actual blocking mechanism, not realizing that URL Filtering profiles are the correct tool for category-based blocking without requiring decryption.

How to eliminate wrong answers

Option B is wrong because SSL Decryption policy is used to decrypt encrypted traffic for inspection, not to block traffic based on category; blocking social media requires URL categorization, not decryption alone. Option C is wrong because a QoS policy only limits bandwidth to social media sites, not block them entirely, and does not identify or block the traffic based on category. Option D is wrong because a file blocking profile blocks specific file types (e.g., executables) within allowed traffic, not the traffic to social media sites themselves.

144
MCQeasy

A company uses forward proxy decryption. A user cannot access an HTTPS site. The decryption policy is configured with the default SSL/TLS service profile. What is the most likely issue?

A.The decryption policy is set to no-decrypt
B.The firewall's certificate is not trusted by the client
C.The certificate revocation check fails
D.The server certificate is self-signed
AnswerB

The firewall presents its own certificate to the client; if the client does not trust the CA that issued the firewall's certificate, the client will show a warning and may block access.

Why this answer

When forward proxy decryption is used, the firewall generates a new certificate on-the-fly to sign the decrypted traffic. If the firewall's certificate is not trusted by the client (i.e., not installed in the client's trusted root certificate store), the browser will display a certificate warning and block access to the HTTPS site. The default SSL/TLS service profile uses the firewall's own CA certificate, which must be distributed to all clients for seamless decryption.

Exam trap

Palo Alto Networks often tests the distinction between server certificate issues (like self-signed or expired) and the firewall's own certificate trust, leading candidates to incorrectly focus on the server certificate rather than the client's trust of the firewall's CA.

How to eliminate wrong answers

Option A is wrong because if the decryption policy were set to no-decrypt, the firewall would simply pass the traffic without inspection, and the user would be able to access the HTTPS site normally (assuming no other blocks). Option C is wrong because a certificate revocation check failure would typically result in a warning or block only if the firewall is configured to enforce revocation, but the question states the decryption policy uses the default SSL/TLS service profile, which does not enable revocation checking by default. Option D is wrong because a self-signed server certificate would cause a warning in the client's browser regardless of decryption, but the question specifically describes a scenario where forward proxy decryption is enabled, and the issue is that the firewall's own certificate is not trusted by the client, not the server's certificate.

145
MCQmedium

A small business uses a single PA-220 firewall for internet access and has three internal zones: Trust, DMZ, and Guest. Users in the Trust zone report intermittent connectivity to a public cloud application. The firewall administrator checks the traffic logs and sees that sessions to the cloud application show "Application: ssl" and "Action: allow". The administrator suspects the issue might be related to decryption. The firewall currently has a decryption policy that decrypts all outbound HTTPS traffic for threat inspection. The cloud application uses certificate pinning and breaks when decrypted. What is the best solution to allow this application to function while still decrypting other traffic?

A.Upgrade the firewall to a model that supports certificate key protection.
B.Create a decryption exclusion rule for the specific cloud application by source or URL category.
C.Disable SSL decryption entirely.
D.Change the decryption policy to decrypt only inbound traffic.
AnswerB

Exclusion rules allow bypassing decryption for specific traffic.

Why this answer

Option B is correct because creating a decryption exclusion rule for the specific cloud application (by source IP, URL category, or destination) allows the firewall to bypass decryption for that traffic while continuing to decrypt all other outbound HTTPS traffic. This resolves the certificate pinning issue without compromising security for other traffic. Decryption exclusion rules are a standard feature in PAN-OS for handling applications that break under decryption.

Exam trap

The trap here is that candidates may think disabling decryption entirely is the simplest fix, but they overlook the need to maintain security for other traffic, or they mistakenly believe hardware upgrades can solve application-layer compatibility issues like certificate pinning.

How to eliminate wrong answers

Option A is wrong because upgrading the firewall model does not address certificate pinning; certificate key protection is unrelated to decryption policy and would not prevent the application from breaking. Option C is wrong because disabling SSL decryption entirely would remove threat inspection for all HTTPS traffic, which is an overly broad and insecure solution. Option D is wrong because changing the decryption policy to decrypt only inbound traffic would not affect outbound traffic to the cloud application, leaving the issue unresolved and also failing to inspect outbound threats.

146
MCQhard

A network administrator is designing a Palo Alto Networks firewall deployment for a large enterprise with multiple branch offices. The requirement is to ensure that if the primary firewall at headquarters fails, the branch offices can still access the internet via a local breakout using a redundant firewall at the branch. Which architecture best meets this requirement with minimal complexity?

A.Use a hub-and-spoke VPN topology with headquarters as the hub
B.Deploy active/passive HA at headquarters and active/passive HA at each branch with local internet breakout
C.Use a full mesh VPN topology between all firewalls
D.Deploy active/active HA at headquarters and use IPsec VPN tunnels to each branch
AnswerB

This provides redundancy for both locations and allows branch offices to break out locally to the internet.

Why this answer

Option B is correct because deploying active/passive HA at each branch with local internet breakout ensures that if the primary firewall at headquarters fails, branch offices can still access the internet directly through their redundant firewall without relying on the hub. This design minimizes complexity by using simple HA pairs and local breakout policies, avoiding the need for complex routing or full mesh VPNs.

Exam trap

The trap here is that candidates often assume hub-and-spoke (Option A) is sufficient for redundancy, overlooking that it fails to provide local internet breakout when the hub fails, which is the core requirement for branch internet access continuity.

How to eliminate wrong answers

Option A is wrong because a hub-and-spoke VPN topology with headquarters as the hub creates a single point of failure; if the headquarters firewall fails, all branch internet traffic is disrupted unless a backup path is configured, which adds complexity. Option C is wrong because a full mesh VPN topology between all firewalls introduces significant configuration and management overhead (O(n^2) tunnels) and does not inherently provide local internet breakout or redundancy for branch internet access. Option D is wrong because active/active HA at headquarters does not address branch-level redundancy; it only protects the hub, and using IPsec VPN tunnels to each branch still forces branch internet traffic through the hub, failing the requirement for local breakout on primary firewall failure.

147
MCQeasy

Refer to the exhibit. A security rule is configured with destination address group 'internal-servers'. A packet with destination IP 10.10.20.5 arrives. Will the rule match?

A.Yes, because 10.10.20.5 is within the range of server2.
B.No, because the destination must be a single IP address.
C.Yes, because the address group includes all internal addresses.
D.No, because the address group uses multiple objects.
AnswerA

The IP range in server2 includes 10.10.20.5.

Why this answer

Option A is correct because 10.10.20.5 is within the IP range defined by server2 (10.10.20.1-10.10.20.10). Option B is wrong because address groups can contain multiple objects. Option C is wrong because the group does not include all internal addresses.

Option D is wrong because destination can be a range or subnet.

148
MCQmedium

A security administrator is troubleshooting a rule that appears to be matching correctly but is not allowing traffic. The rule uses source zone 'Trust' and destination zone 'Untrust', and the action is 'allow'. The traffic source is in the 'DMZ' zone. What is the most likely reason the traffic is denied?

A.Security profiles are blocking the traffic.
B.The application is not identified.
C.The source zone of the rule does not match the traffic's ingress zone.
D.The rule is placed after a deny rule.
AnswerC

The rule matches on source zone Trust, but traffic comes from DMZ zone, so the rule does not apply.

Why this answer

Option A is correct because zone mismatch is a common reason; the rule expects Trust zone, but traffic is from DMZ. Option B is wrong because rule order could be issue but zone mismatch prevents match. Option C is wrong because application dependency might cause deny, but the primary reason is zone mismatch.

Option D is wrong because security profiles do not prevent matching.

149
Drag & Dropmedium

Drag and drop the steps to configure a URL filtering profile on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

URL filtering profile involves categories, actions, policy attachment, SSL decryption, and testing.

150
MCQhard

An organization has a data center with servers in the 10.10.0.0/16 subnet and remote users who connect via GlobalProtect. The security team wants to ensure that only approved applications (web-browsing, ssl, dns) are allowed from the remote user subnet (172.16.0.0/24) to the data center. They create a security rule with source zone 'GP' (GlobalProtect), destination zone 'DC', source address '172.16.0.0/24', destination address '10.10.0.0/16', application 'web-browsing', 'ssl', 'dns', action 'allow'. After deployment, users complain that they cannot access a custom web application on port 8080, which uses HTTP but the application is identified as 'web-browsing'. The administrator checks the traffic logs and sees that the traffic is being denied by an implicit deny rule. What is the most likely cause?

A.The application 'web-browsing' does not cover port 8080 traffic.
B.The rule order is incorrect; a previous rule is denying the traffic.
C.The destination address object 10.10.0.0/16 is incorrect.
D.The source zone 'GP' should be 'untrust'.
AnswerA

App-ID identifies traffic based on signatures, not just port. Custom HTTP on 8080 may not match 'web-browsing' signature, so it is not allowed.

Why this answer

The security rule explicitly allows applications 'web-browsing', 'ssl', and 'dns'. While the custom web application uses HTTP on port 8080 and is identified as 'web-browsing', the application 'web-browsing' in Palo Alto Networks firewalls is defined to use standard HTTP ports (typically 80, 8080 is not included by default). Since the application does not match the traffic on port 8080, the firewall does not consider this traffic as matching the application 'web-browsing', and it falls through to the implicit deny rule, causing the denial.

Exam trap

The trap here is that candidates assume 'web-browsing' covers all HTTP traffic regardless of port, but Palo Alto Networks firewalls enforce application identification based on default port definitions, and non-standard ports require explicit configuration.

How to eliminate wrong answers

Option B is wrong because the traffic is being denied by the implicit deny rule, not by a previous rule; the rule order is not the issue here as the rule in question is present but does not match the application. Option C is wrong because the destination address object 10.10.0.0/16 is correct for the data center subnet, and the traffic is reaching that subnet but is denied due to application mismatch. Option D is wrong because the source zone 'GP' (GlobalProtect) is correct for remote users connecting via GlobalProtect; using 'untrust' would be incorrect as GlobalProtect traffic originates from the GP tunnel zone, not the untrust zone.

Page 1

Page 2 of 7

Page 3

All pages