Palo Alto Networks Certified Network Security Administrator PCNSA (PCNSA) — Questions 301375

524 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selecthard

A security analyst needs to monitor decryption performance and identify sessions that are bypassing decryption due to policy or technical reasons. Which two monitoring tools or methods can provide this insight?

Select 2 answers
A.Decryption logs with filter 'decryption action not equal to decrypt'
B.System logs with filter 'decryption bypass'
C.ACC (Application Command Center) > Decryption Overview
D.Traffic logs with filter 'action equals decrypt' and 'reason equals bypass'
E.Packet capture on the decryption port
AnswersA, C

Decryption logs can be filtered to show sessions where decryption was not performed, including bypass reasons.

Why this answer

Option A is correct because decryption logs with a filter for 'decryption action not equal to decrypt' will show sessions that were not decrypted, including those bypassed due to policy (e.g., excluded URLs) or technical reasons (e.g., unsupported cipher suites). Option C is correct because the ACC > Decryption Overview provides a dashboard that visualizes decryption performance metrics, such as the number of sessions bypassed, decrypted, or failed, giving the analyst a high-level view of bypass activity.

Exam trap

The trap here is that candidates may confuse traffic logs with decryption logs, or assume that system logs contain decryption session details, when in fact decryption-specific logs and the ACC Decryption Overview are the correct sources for monitoring bypass activity.

302
Multi-Selectmedium

During SSL decryption, which three factors can cause the firewall to fail to decrypt a session or to bypass decryption?

Select 3 answers
A.The decryption rule has a schedule that is not currently active.
B.The SSH protocol is being used instead of SSL/TLS.
C.The firewall's decryption hardware accelerator is faulty.
D.The server certificate is signed by a CA not trusted by the firewall.
E.The session uses a cipher that is not listed in the decryption profile's allowed ciphers.
AnswersA, D, E

A rule with a schedule that is out of window will not match, so decryption will not apply.

Why this answer

Option A is correct because a decryption rule with a schedule that is not currently active will not apply, causing the firewall to bypass decryption for the matching traffic. The firewall checks the schedule before attempting decryption, and if the schedule is inactive, the rule is effectively disabled, leading to a bypass.

Exam trap

The trap here is that candidates may think a faulty hardware accelerator (Option C) directly causes decryption failure, but Palo Alto Networks firewalls fall back to software decryption if hardware acceleration fails, so it does not result in a bypass or failure to decrypt.

303
Multi-Selecthard

Which TWO are required for accurate application identification when an application uses non-standard ports?

Select 2 answers
A.Define a custom service for the port.
B.Enable App-ID.
C.Use a Content-ID profile.
D.Create a custom application signature.
E.Disable SSL Decryption.
AnswersB, D

App-ID must be enabled to perform application identification.

Why this answer

App-ID is the core technology that identifies applications regardless of port, using signatures, protocol decoders, and behavioral analysis. When an application uses non-standard ports, App-ID must be enabled to inspect traffic beyond simple port-based classification, ensuring accurate identification even if the application is not using its default port.

Exam trap

The trap here is that candidates often think defining a custom service for the port is sufficient for identification, but App-ID requires either its built-in signatures or a custom application signature to accurately identify applications on non-standard ports.

304
Multi-Selecteasy

Which TWO management methods allow CLI access to a Palo Alto Networks firewall?

Select 2 answers
A.SSH
B.Serial console
C.HTTPS
D.HTTP
E.Telnet
AnswersA, B

SSH provides secure CLI access.

Why this answer

SSH (Secure Shell) is a standard management method that provides encrypted CLI access to Palo Alto Networks firewalls, allowing administrators to execute commands securely over a network. The serial console port on the firewall provides direct, out-of-band CLI access for initial configuration or troubleshooting when network connectivity is unavailable.

Exam trap

The trap here is that candidates often confuse management methods that provide GUI access (HTTPS) with those that provide CLI access, or incorrectly assume that Telnet is still a supported option on modern firewalls due to its prevalence in older networking equipment.

305
Multi-Selectmedium

A security administrator notices that traffic from an internal user to a specific external web application is being blocked unexpectedly. The user's IP is 10.10.1.50 and the destination is 203.0.113.5 on port 443. The administrator has already verified that there is a security rule allowing the traffic. Which two logs should the administrator check first to diagnose the issue?

Select 2 answers
A.Check the Traffic log and the URL Filtering log.
B.Check the Threat log for any intrusion prevention signatures that matched the traffic.
C.Check the System log for configuration changes that might have added a rule.
D.Check the HIP Match log to see if the user's device lacks required security software.
AnswersA, B

The Traffic log shows whether a rule allowed or denied the traffic; the URL Filtering log shows if a URL filtering profile blocked the request. These two together can identify the blocking cause.

Why this answer

Option A is correct because when a security rule explicitly allows traffic but the traffic is still blocked, the issue often lies in a secondary policy layer. The Traffic log will show whether the session was denied or allowed, and if allowed, the URL Filtering log can reveal that the destination URL was categorized as blocked by the URL filtering profile, even though the security rule permits the traffic. This is a common scenario where the security rule permits the session but a URL filtering profile applied to that rule blocks the specific web application.

Exam trap

Palo Alto Networks often tests the misconception that a security rule allowing traffic guarantees the traffic will pass, but the trap here is that secondary policies like URL filtering profiles can override the security rule action, so candidates must check both the Traffic log and the URL Filtering log first.

306
MCQmedium

An administrator is troubleshooting why a rule is not being hit. The rule has source zone Trust, destination zone Untrust, source address 10.0.0.0/8, destination address any, application web-browsing, action allow, and log at session end. The traffic is coming from 10.1.1.1 to 1.2.3.4 on port 80, zone Trust to Untrust. The rule count shows zero hits. What could be the issue?

A.The application must be set to 'any'.
B.The application is incorrectly identified; perhaps the traffic is using a different app.
C.The log setting is preventing hits.
D.The destination address is too broad.
AnswerB

If the firewall classifies the traffic as another application, the rule won't match.

Why this answer

Option C is correct because the rule specifically allows web-browsing; if the traffic is classified as a different application, it won't match. Option A is not an issue; destination any is fine. Option B is not needed.

Option D is false; log setting does not affect hit count.

307
MCQmedium

A company uses SSL Forward Proxy to decrypt all outbound HTTPS traffic. Users report significant performance degradation when accessing external web applications. Which action should the administrator take to improve performance while maintaining security?

A.Create a decryption exclusion rule for financial and banking websites.
B.Increase the session timeout values for decrypted traffic.
C.Enable hardware SSL decryption offloading on the firewall.
D.Change the decryption profile to require only high-strength ciphers.
AnswerA

Excluding high-value but sensitive categories reduces decryption load and complies with regulatory standards, thus improving performance.

Why this answer

Option B is correct because excluding certain sensitive or unnecessary categories (e.g., banking) reduces decryption load and related performance issues. Option A is incorrect because hardware offloading may not be available or may not address the root cause. Option C is incorrect because increasing session timeouts does not reduce decryption processing.

Option D is incorrect because using high-strength ciphers increases processing overhead.

308
Multi-Selectmedium

A security administrator is analyzing the rulebase for best practices. Which TWO of the following are recommended practices for security policy management? (Choose two.)

Select 2 answers
A.Disable logging for frequently matched rules to improve performance.
B.Place more specific rules above more general rules.
C.Create a single rule for each application to simplify management.
D.Use the 'intrazone-default' rule to allow all traffic in the same zone.
E.Use security profile groups to consistently apply profiles.
AnswersB, E

This is a fundamental best practice to ensure specific rules are evaluated first.

Why this answer

Options A and D are correct. Placing specific rules above general rules ensures proper matching. Using security profile groups ensures consistent application of profiles.

Option B is wrong because using intrazone-default to allow all intra-zone traffic is not recommended. Option C is wrong because logging should be enabled for security events. Option E is wrong because creating a rule per application leads to excessive rules.

309
MCQeasy

An administrator needs to access the firewall's CLI via SSH, but the default SSH port (22) is blocked by the corporate firewall. Which configuration allows SSH on a non-standard port?

A.Device > Setup > Management > Port for SSH
B.Device > Setup > Services > SSH Port
C.Device > Setup > Management > Port for HTTP/HTTPS
D.Device > Administration > SSH Port
E.Device > Setup > Operations > SSH
AnswerA

Allows setting a non-default SSH port for CLI access.

Why this answer

Option A is correct because the firewall's SSH port is configured under Device > Setup > Management > Port for SSH. This setting allows the administrator to change the default TCP port 22 to any non-standard port, enabling SSH access when the corporate firewall blocks the default port. The management interface settings control all inbound management protocols, including SSH, HTTPS, and ping.

Exam trap

The trap here is that candidates confuse the management port settings for SSH with other protocol settings (like HTTP/HTTPS) or assume a 'Services' or 'Administration' menu exists, leading them to pick an option that sounds plausible but does not exist in the PAN-OS GUI.

How to eliminate wrong answers

Option B is wrong because there is no 'Services' submenu under Device > Setup; SSH port configuration is under 'Management', not 'Services'. Option C is wrong because 'Port for HTTP/HTTPS' controls web-based management access, not SSH. Option D is wrong because there is no 'Administration' menu under Device; SSH port settings are not located there.

Option E is wrong because 'Operations' under Device > Setup is for operational tasks like rebooting or generating tech support files, not for configuring SSH port settings.

310
MCQhard

An administrator configures a security policy with three rules in order: Rule1 allows any to any with log at session start, Rule2 allows HTTP from trust to untrust, Rule3 denies any. Traffic from an internal user to an external web server is logged as allowed. Which rule processed the traffic?

A.Rule1
B.Rule3
C.Rule2
D.No rule matched
AnswerA

Rule1 matches all traffic and is the first rule, so it processes the traffic.

Why this answer

Option A is correct because the first matching rule is applied; even though Rule2 is more specific, Rule1 matches first and allows the traffic. Option B is wrong because Rule2 is after Rule1. Option C is wrong because Rule3 would deny, but traffic was allowed.

Option D is wrong because the traffic matched a rule.

311
MCQhard

Refer to the exhibit. Traffic from Sales zone to Finance zone reaches destination 10.10.10.10 using application 'ssl'. What action does the firewall take?

A.The firewall will continue to the next rule
B.Allow
C.Deny
D.Allow only if no security profile blocks it
AnswerC

Traffic does not match the first rule (application mismatch), so it matches the second rule and is denied.

Why this answer

Option A is correct because the first rule only matches 'ms-office365' application; 'ssl' does not match, so it goes to the second rule which denies any application. Option B is wrong because the first rule does not allow ssl. Option C is wrong because the deny rule will block it.

Option D is wrong because the firewall does not need more rules; it has a deny all rule.

312
MCQmedium

A company wants to decrypt all SSL/TLS traffic from internal users except traffic to financial sites. The firewall is placed as a forward proxy. Which policy configuration ensures that traffic to financial sites is not decrypted?

A.Create a decryption policy and use the 'exclude cache' option for financial sites.
B.Create a security policy that allows financial sites without decryption; then create a decryption policy with action 'no-decrypt' for those sites.
C.Create a decryption policy with action 'decrypt' and a source zone of internal; then create a decryption exemption for financial URLs.
D.Create a decryption policy with action 'no-decrypt' for traffic to financial sites, and a catch-all decryption policy with action 'decrypt' for all other traffic.
AnswerD

This ensures financial traffic is not decrypted while all other traffic is decrypted.

Why this answer

Option D is correct because it uses a specific 'no-decrypt' action in a decryption policy for financial sites, which explicitly excludes them from SSL/TLS decryption. A catch-all policy with 'decrypt' then ensures all other internal user traffic is decrypted. This approach directly aligns with the forward proxy requirement to decrypt all traffic except the specified financial sites.

Exam trap

The trap here is that candidates often confuse security policies with decryption policies, or mistakenly think that a 'decrypt' action with an exemption list is equivalent to a 'no-decrypt' policy, when in fact Palo Alto Networks requires a separate decryption policy with the 'no-decrypt' action for explicit exclusion.

How to eliminate wrong answers

Option A is wrong because the 'exclude cache' option is used to prevent caching of decrypted content, not to exclude traffic from decryption; it does not affect whether decryption occurs. Option B is wrong because a security policy alone cannot control decryption; decryption is governed by decryption policies, not security policies, and the order of policy evaluation requires a decryption policy to specify 'no-decrypt'. Option C is wrong because a decryption exemption is not a valid configuration in Palo Alto Networks firewalls; the correct method is to use a decryption policy with action 'no-decrypt'.

313
Multi-Selecteasy

Which TWO methods can be used to help prevent rule shadowing? (Select two.)

Select 2 answers
A.Using rule hit counts
B.Placing more specific rules above general rules
C.Using policy optimizer reports to reorder rules
D.Using dynamic address groups
E.Using rule order analysis tools
AnswersB, C

Correct. This ensures specific rules are evaluated first, reducing the chance they are shadowed.

Why this answer

Placing more specific rules above general rules prevents rule shadowing by ensuring that traffic matching a specific condition is evaluated and permitted or denied by the intended rule before reaching a broader rule that might otherwise match it. In Palo Alto Networks firewalls, rule evaluation is first-match, so a general rule placed above a specific rule will shadow the specific rule, making it unreachable. This ordering principle directly addresses the root cause of shadowing.

Exam trap

The trap here is that candidates often confuse detection tools (like rule order analysis or hit counts) with prevention methods, but the question specifically asks for methods that help prevent shadowing, which requires proactive ordering or reordering of rules.

314
MCQhard

A company is deploying a Palo Alto firewall in a high-availability (HA) pair. They want to ensure that when a failover occurs, session information is preserved to maintain active connections. Which feature must be enabled?

A.Session synchronization
B.Stateful failover
C.Packet buffer
D.Session Timer adjustment
AnswerA

It mirrors sessions to the peer for stateful failover.

Why this answer

Session synchronization (option A) is the correct feature because it enables the active firewall to share session table entries with the passive peer in real time. When a failover occurs, the newly active firewall already has the session state, so it can continue forwarding traffic for existing connections without interruption. Without session synchronization, all active sessions would be dropped and must be re-established by clients.

Exam trap

The trap here is that candidates confuse the general concept of 'stateful failover' (which is the desired outcome) with the specific feature name that must be enabled in the Palo Alto configuration, leading them to select option B instead of the precise mechanism 'session synchronization'.

How to eliminate wrong answers

Option B (Stateful failover) is wrong because it is a generic term describing the overall capability of preserving state during failover, not a specific feature that must be enabled; the actual mechanism that achieves this in Palo Alto firewalls is session synchronization. Option C (Packet buffer) is wrong because it refers to temporary storage of packets during congestion or processing delays, not to sharing session state between HA peers. Option D (Session Timer adjustment) is wrong because modifying session timeouts affects how long idle sessions remain in the table, but does not replicate session information to the standby firewall.

315
MCQmedium

An administrator wants to block all peer-to-peer file sharing traffic, but must ensure that legitimate business applications like FTP are not affected. Which approach is most effective?

A.Create an Application Filter that matches all P2P applications and use it in a deny rule.
B.Create a security rule with 'application none' and block the common P2P ports.
C.Use a Service object to block all ports typically used by P2P applications.
D.Identify each known P2P application and add them individually to a block rule.
AnswerA

Application filters dynamically match a category of applications.

Why this answer

Option A is correct because Palo Alto Networks App-ID can identify peer-to-peer (P2P) traffic by application signature, regardless of port. Creating an Application Filter that matches all P2P applications (e.g., BitTorrent, eDonkey, Gnutella) and applying it in a deny rule ensures all P2P traffic is blocked while legitimate business applications like FTP (which uses distinct App-ID signatures) are not affected, as App-ID decodes traffic at Layer 7.

Exam trap

The trap here is that candidates often assume port-based blocking (Options B and C) is sufficient, but App-ID is designed to decouple application identity from port, making port-based rules ineffective against modern P2P traffic that uses port evasion techniques.

How to eliminate wrong answers

Option B is wrong because using 'application none' with port blocking is ineffective—P2P applications often use non-standard ports or port hopping, and 'application none' would not match traffic that App-ID identifies as a known application, potentially allowing P2P traffic on allowed ports. Option C is wrong because blocking common P2P ports (e.g., 6881-6889 for BitTorrent) is easily bypassed by P2P applications that use random or HTTP/HTTPS ports, and it would also block legitimate applications using those ports. Option D is wrong because individually adding each known P2P application to a block rule is impractical—new P2P variants emerge frequently, and this approach would miss unknown or custom P2P applications, leaving gaps in coverage.

316
MCQeasy

A network engineer needs to apply the same security policy to multiple firewalls. Which tool should be used to centralize policy management?

A.PanOS Central
B.Panorama
C.Web interface of each firewall
D.Command Line Interface (CLI)
AnswerB

Panorama provides centralized policy management across multiple firewalls.

Why this answer

Panorama is the centralized management solution for Palo Alto Networks firewalls, enabling administrators to define, push, and enforce consistent security policies across multiple firewalls from a single interface. It aggregates logs and provides visibility into all managed firewalls, eliminating the need to configure each device individually.

Exam trap

The trap here is that candidates may confuse 'Panorama' with a generic-sounding name like 'PanOS Central' or assume that any management interface (web or CLI) is sufficient for centralized control, overlooking the specific product designed for multi-firewall policy management.

How to eliminate wrong answers

Option A is wrong because 'PanOS Central' is not a real Palo Alto Networks product; the correct centralized management tool is Panorama. Option C is wrong because using the web interface of each firewall requires logging into each device separately, which is inefficient and error-prone for managing multiple firewalls. Option D is wrong because the Command Line Interface (CLI) also requires individual access to each firewall and does not provide centralized policy management or bulk configuration capabilities.

317
MCQhard

A firewall administrator is tasked with implementing a policy that allows SSH access from the 'Admin' zone to the 'Core' zone only for specific administrators, and all other SSH attempts should be logged and dropped. The company has a large number of administrators. Which method is most efficient and scalable?

A.Create a single rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user 'any', action 'allow' and enable logging.
B.Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user set to an LDAP group containing the administrators, action 'allow', and a second rule with same match criteria but action 'drop' and log at end.
C.Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', action 'allow', and rely on the firewall's default deny rule for others.
D.Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source address list of all administrators' IPs, action 'allow', and a catch-all drop rule.
AnswerB

User-ID integration allows scalable user-based policies.

Why this answer

Option B is correct because it uses an LDAP group as the source user attribute, which allows dynamic membership management without manual IP updates. The first rule permits SSH for the group, and the second rule logs and drops all other SSH attempts, ensuring only authorized administrators are allowed while unauthorized attempts are recorded for auditing. This approach is scalable for a large number of administrators because it leverages user-based policies rather than IP-based rules.

Exam trap

The trap here is that candidates often choose Option A, thinking that logging all SSH attempts is sufficient, but they overlook the requirement to restrict access to specific administrators, which necessitates a user-based filter rather than allowing all users.

How to eliminate wrong answers

Option A is wrong because setting source user to 'any' would allow all users from the Admin zone to access the Core zone via SSH, violating the requirement to restrict access to specific administrators only. Option C is wrong because relying on the default deny rule would silently drop unauthorized SSH attempts without logging them, failing the requirement to log and drop all other SSH attempts. Option D is wrong because using a source address list of all administrators' IPs is not scalable for a large number of administrators, as it requires manual updates whenever an administrator's IP changes or new administrators are added, and it does not leverage user-based identification.

318
MCQeasy

An administrator wants to group multiple servers with different IP addresses that all use the same port 443. What is the most efficient way to create a security policy rule for this traffic?

A.Use a single address object with a subnet
B.Create separate rules for each server
C.Use a dynamic address group with tags
D.Create an address group and a service group
AnswerD

This reduces administrative effort and groups related objects.

Why this answer

Option D is correct because creating an address group to contain the multiple server IP addresses and a service group for port 443 allows a single security policy rule to match all the servers and the specific service. This is the most efficient method as it reduces rule count and administrative overhead, leveraging group objects for scalability and ease of management.

Exam trap

The trap here is that candidates may confuse dynamic address groups (which rely on tags and external data) with static address groups, or assume that a single subnet object can cover non-contiguous IPs, leading them to choose option A or C.

How to eliminate wrong answers

Option A is wrong because using a single address object with a subnet would only work if all servers share a contiguous IP range, which is not the case here (different IP addresses). Option B is wrong because creating separate rules for each server is inefficient and increases rule count, violating best practices for policy management. Option C is wrong because dynamic address groups with tags are used for grouping objects based on dynamic criteria (e.g., IP address changes via external sources), not for statically grouping multiple known IP addresses; tags are not needed for this static grouping.

319
MCQmedium

A company configures GlobalProtect for remote access. Remote users can successfully connect to the firewall and obtain an IP address, but they cannot access internal resources (e.g., file servers) located in the internal network. The firewall has a security rule that allows traffic from the GlobalProtect zone to the internal zone with appropriate applications. Logs show that traffic from remote users is being matched to a different rule that denies inter-zone traffic from the GlobalProtect zone to the internal zone. The administrator checks the GlobalProtect gateway configuration and sees that the gateway assigns IP addresses from a pool, but no internal routes are defined. What is the most likely issue? The GlobalProtect gateway configuration is missing internal resource routes or split-tunneling settings. The User-ID agent is not mapping remote usernames correctly. The source zone in the security rule is set to 'Trust' instead of 'GlobalProtect'. The internal resources require a specific security profile that is not applied to the rule.

A.The internal resources require a specific security profile that is not applied to the rule.
B.The User-ID agent is not mapping remote usernames correctly.
C.The GlobalProtect gateway configuration is missing internal resource routes or split-tunneling settings.
D.The source zone in the security rule is set to 'Trust' instead of 'GlobalProtect'.
AnswerD

If the rule expects source zone 'Trust', traffic from GlobalProtect zone won't match, and a subsequent deny rule blocks it.

Why this answer

Option C is correct because if the security rule's source zone is 'Trust' instead of 'GlobalProtect', traffic from the GlobalProtect zone will not match the intended rule and will fall through to a default deny rule. Option A is incorrect because internal resource routes are for routing, not policy matching. Options B and D are less likely given the log behavior.

320
MCQmedium

An enterprise wants to receive SNMP traps from their firewalls for critical events such as HA state changes and high CPU usage. They have an SNMP trap receiver at 10.1.1.100. What configuration steps are required?

A.Use the CLI command 'set snmp trap' with the receiver IP.
B.Configure an SNMP manager and select the traps to send.
C.Enable SNMP on the management interface and set the trap destination.
D.Configure an SNMP server profile for traps and a log forwarding profile to send system logs as traps.
AnswerD

Correct: SNMP server profile defines trap destinations; log forwarding profile selects which logs trigger traps.

Why this answer

Option D is correct because PAN-OS requires an SNMP server profile to define the trap receiver (IP, port, version) and a log forwarding profile to map specific system logs (e.g., HA state changes, high CPU) to be sent as SNMP traps. This two-step configuration ensures only critical events are forwarded as traps, not all SNMP data.

Exam trap

The trap here is that candidates confuse enabling SNMP for polling (Option C) with the separate, mandatory step of configuring trap forwarding via a log forwarding profile, assuming that simply setting a trap destination is enough to send all SNMP data.

How to eliminate wrong answers

Option A is wrong because the CLI command 'set snmp trap' does not exist in PAN-OS; SNMP trap configuration is done via GUI or CLI using 'set snmp-server profile' and log forwarding. Option B is wrong because configuring an SNMP manager alone only sets up the management station for polling, not for sending traps; traps require a separate trap destination and log forwarding profile. Option C is wrong because enabling SNMP on the management interface only allows SNMP polling (get/set) and does not configure trap destinations; trap receivers must be defined in an SNMP server profile.

321
Matchingmedium

Match each protocol to its default port used by Palo Alto Networks.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

443

22

N/A (ICMP)

161

Why these pairings

These are common ports used for management access.

322
MCQmedium

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

A.The rule only allows traffic from Engineering to Servers zone, not DMZ.
B.The rule is configured as an intrazone rule.
C.The rule is disabled in the rulebase.
D.SSL decryption is blocking the traffic.
AnswerA

The rule explicitly allows Engineering to Servers; traffic to DMZ is not covered and is denied by default.

Why this answer

The security rule explicitly permits traffic from the 'Engineering' zone to the 'Servers' zone. Traffic destined to the 'DMZ' zone is a different zone, so the rule does not apply. By default, Palo Alto Networks firewalls enforce a deny-all policy for any traffic that does not match an explicit allow rule, which is why the traffic is denied.

Exam trap

The trap here is that candidates may assume a rule allowing traffic to one zone implicitly covers all zones, but Palo Alto Networks firewalls require explicit zone matching for each rule, and failing to specify the correct destination zone results in a deny.

How to eliminate wrong answers

Option B is wrong because an intrazone rule controls traffic within the same zone, not between different zones; the scenario involves interzone traffic from Engineering to DMZ. Option C is wrong because if the rule were disabled, it would not affect traffic to the Servers zone either, and the question states the rule allows traffic to Servers, implying it is enabled. Option D is wrong because SSL decryption is a separate feature that can inspect encrypted traffic but does not inherently block traffic; it would only affect traffic if a decryption policy explicitly denies or fails to decrypt, and there is no indication of SSL decryption involvement.

323
MCQhard

A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?

A.The firewall does not have a route to the 10.0.0.0/24 network.
B.The security rule is not placed at the top of the rulebase.
C.A zone protection profile is blocking the traffic.
D.The destination server does not have a route back to the 192.168.1.0/24 subnet.
AnswerA

Without a route, the firewall cannot forward the packet to the destination, even if the security rule allows it.

Why this answer

The traffic matches the security rule, but the firewall drops the packet because it cannot find a route to the destination network 10.0.0.0/24. In Palo Alto Networks firewalls, even if a security rule permits traffic, the firewall must have a valid route in its routing table to forward the packet to the next hop. Without a route, the firewall has no way to deliver the packet to the server at 10.0.0.10, resulting in a drop.

Exam trap

The trap here is that candidates confuse security policy matching with successful packet forwarding, forgetting that a firewall must also have a route to the destination to complete the delivery.

How to eliminate wrong answers

Option B is wrong because the rule order does not matter if the traffic is already matching the rule; the issue is that the packet is dropped after matching, not that it fails to match. Option C is wrong because a zone protection profile would block traffic based on flood protection or reconnaissance settings, but the question states the traffic matches the rule and is dropped, not that it is blocked by a security profile. Option D is wrong because the destination server's return route is irrelevant to the firewall's forward path; the firewall drops the packet before it ever reaches the server, so the server's routing table does not come into play.

324
Multi-Selecthard

Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)

Select 2 answers
A.Use a self-signed certificate for decryption.
B.Decrypt all internal traffic including server-to-server.
C.Exclude traffic to financial and healthcare sites from decryption.
D.Decrypt all outbound traffic regardless of destination.
E.Install the firewall's CA certificate on all client devices.
AnswersC, E

Compliance requirements often prohibit decryption of sensitive sites.

Why this answer

Options B and D are correct. Option A is wrong because CA-signed certs are recommended for trust. Option C is wrong because decrypting internal traffic can cause issues; best practice is to exclude internal traffic.

Option E is wrong because decrypting all traffic is not recommended; use selective decryption.

325
MCQhard

An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?

A.Configure HA1 and HA2 interfaces with appropriate IPs
B.Enable Config Sync on the HA General tab
C.Enable Session Setup and State Synchronization under HA configuration
D.Configure Path Monitoring to detect link failures
AnswerC

These settings enable the synchronization of session state information between HA peers.

Why this answer

Option C is correct because session state synchronization (also known as stateful failover) requires enabling both Session Setup and State Synchronization under the HA configuration. This ensures that the active firewall's session table is continuously replicated to the passive firewall, so when a failover occurs, existing sessions are not dropped and can continue without interruption.

Exam trap

The trap here is that candidates confuse Config Sync (which synchronizes configuration files) with Session State Synchronization (which synchronizes active session data), leading them to select Option B instead of C.

How to eliminate wrong answers

Option A is wrong because configuring HA1 and HA2 interfaces with appropriate IPs is necessary for HA communication (heartbeat and backup links), but it does not enable session state synchronization by itself. Option B is wrong because Config Sync synchronizes configuration files (policies, objects) between firewalls, not session state; it is unrelated to preserving active sessions during failover. Option D is wrong because Path Monitoring detects link failures to trigger failover, but it does not replicate session state; it only helps decide when to fail over, not what happens to existing sessions.

326
MCQmedium

An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?

A.Create three zones: Web, App, DB. Create rules that allow only necessary protocols (e.g., HTTP/HTTPS from internet to Web, specific ports from Web to App, and specific ports from App to DB).
B.Create three zones: Web, App, DB. Allow all traffic from Web to App and App to DB, and block all other inter-zone traffic.
C.Place web servers in an untrust zone and app/database in a trust zone, then allow all traffic from trust to untrust.
D.Place all servers in the same zone and use rules to allow traffic between them.
AnswerA

This follows least-privilege principles by allowing only required traffic between specific zones and ports.

Why this answer

Option A is correct because it implements a least-privilege security model using Palo Alto Networks zones and granular application- and port-based rules. By creating separate zones (Web, App, DB) and explicitly allowing only the necessary protocols (e.g., HTTP/HTTPS from the internet to Web, specific ports from Web to App, and specific ports from App to DB), the firewall enforces strict segmentation and minimizes the attack surface. This design leverages the zone-based security paradigm of PAN-OS to control inter-zone traffic precisely, aligning with the principle of zero trust.

Exam trap

The trap here is that candidates may assume that allowing 'all traffic' between tiers is sufficient for segmentation, overlooking the critical security requirement of least privilege and the need to restrict traffic to only necessary protocols and ports.

How to eliminate wrong answers

Option B is wrong because allowing all traffic from Web to App and App to DB violates the principle of least privilege; it permits unnecessary protocols and ports, increasing the risk of lateral movement if a server is compromised. Option C is wrong because placing web servers in an untrust zone and app/database in a trust zone, then allowing all traffic from trust to untrust, would permit unrestricted outbound traffic from the database to the internet, breaking the required segmentation and exposing sensitive data. Option D is wrong because placing all servers in the same zone eliminates zone-based segmentation, making it impossible to enforce the required inter-tier restrictions; intra-zone traffic is implicitly allowed by default in PAN-OS unless explicitly blocked, which contradicts the need for strict access control.

327
MCQmedium

A network administrator notices that a specific user behind a PA-820 firewall is unable to reach a critical SaaS application, while other users can access it without issues. The administrator checks the traffic logs and sees the session is being denied. Which step should the administrator take next to identify the root cause?

A.Check the System log for related entries
B.Run a packet capture on the ingress interface
C.Check the global counters for dropped packets
D.Check the Traffic log with the session's source IP and destination
AnswerD

Traffic log shows the rule that matched and the action taken.

Why this answer

Option D is correct because the Traffic log already shows the session is denied, and filtering by the specific user's source IP and the destination SaaS application will reveal the exact security policy or rule that is blocking the traffic. This allows the administrator to identify whether the issue is due to a misconfigured policy, an application override, or a user-specific rule, rather than a global or interface-level problem.

Exam trap

The trap here is that candidates may jump to packet capture or system logs without first using the Traffic log's filtering capabilities to pinpoint the exact security rule causing the deny, wasting time on broad diagnostics.

How to eliminate wrong answers

Option A is wrong because the System log records administrative events, system errors, and configuration changes, not per-session deny decisions; it would not show why a specific user's session to a SaaS app was denied. Option B is wrong because running a packet capture on the ingress interface is a more advanced troubleshooting step that should be taken only after analyzing the Traffic log to confirm the deny is not due to a security policy; it is premature and may generate excessive data without narrowing down the cause. Option C is wrong because global counters provide aggregate statistics on dropped packets (e.g., for resource exhaustion or hardware issues) but do not reveal which security policy or rule denied a specific user's session to a particular destination.

328
MCQeasy

How many address objects are members of the 'web-servers' address group?

A.3
B.1
C.4
D.2
AnswerD

The exhibit clearly lists two members.

Why this answer

The 'web-servers' address group contains exactly two address objects: one for the web server's IP address (e.g., 10.0.0.10) and one for the web server's subnet (e.g., 10.0.0.0/24). In Palo Alto Networks firewalls, address groups aggregate static or dynamic address objects, and the count is determined by the number of member objects explicitly added, not by the number of IPs within a subnet. Option D is correct because the group has two members.

Exam trap

The trap here is that candidates often miscount the number of address objects by confusing individual IP addresses within a subnet object as separate members, rather than recognizing that a single subnet object (e.g., 10.0.0.0/24) counts as one member regardless of how many hosts it represents.

How to eliminate wrong answers

Option A is wrong because it suggests three members, which would require an additional address object not present in the group configuration. Option B is wrong because it implies only one member, but the group contains two distinct address objects (a host and a subnet). Option C is wrong because it indicates four members, which would require more objects than the group actually contains, possibly confusing the number of IP addresses with the number of address objects.

329
MCQmedium

Refer to the exhibit. The firewall is experiencing performance issues and dropping sessions. Based on the exhibit, what is the most likely cause?

A.Dataplane resources are exhausted
B.The firewall has been recently rebooted
C.System CPU is too high
D.The session limit is being reached
AnswerA

Dataplane CPU at 89% and memory at 92% indicate the dataplane is overloaded, causing drops.

Why this answer

The exhibit shows that the dataplane (DP) utilization is at 100%, which directly indicates that the dataplane resources are exhausted. When the dataplane is fully utilized, the firewall cannot process new sessions or maintain existing ones, leading to session drops and performance issues. This is the most likely cause because the dataplane handles packet forwarding and session setup, and its exhaustion is a common bottleneck in high-throughput environments.

Exam trap

Palo Alto Networks often tests the distinction between management plane (system CPU) and dataplane resources, so the trap here is that candidates confuse high system CPU with dataplane exhaustion, not realizing that session drops are almost always a dataplane issue, not a management plane one.

How to eliminate wrong answers

Option B is wrong because a recent reboot would typically show low dataplane utilization and a gradual increase as sessions build up, not sustained 100% utilization with session drops. Option C is wrong because system CPU (management plane) being high does not directly cause session drops; the dataplane operates independently, and high system CPU affects management tasks like logging or UI responsiveness, not packet forwarding. Option D is wrong because the session limit being reached would show a session count at the maximum configured limit in the exhibit, but the exhibit shows dataplane utilization at 100% without indicating the session limit is hit; session limits are a separate resource constraint that triggers specific 'max-session' drops, not general performance degradation from dataplane exhaustion.

330
MCQeasy

Refer to the exhibit. The firewall raises a certificate expiry warning for the decryption CA. Which action is required?

A.Renew the decryption CA certificate before expiry
B.Ignore the warning as it is only informational
C.Import a new server certificate
D.Disable decryption until renewal
AnswerA

The CA certificate must be valid for decryption to work; it should be renewed.

Why this answer

The decryption CA certificate is used by the firewall to generate and sign internal server certificates for SSL decryption. When it expires, the firewall can no longer create new decryption certificates, causing SSL decryption to fail for new sessions. Renewing the decryption CA certificate before expiry ensures uninterrupted decryption and avoids certificate validation errors for clients.

Exam trap

Palo Alto Networks often tests the distinction between the decryption CA certificate (which must be renewed) and server certificates (which are imported for specific sites), leading candidates to mistakenly choose importing a new server certificate.

How to eliminate wrong answers

Option B is wrong because the certificate expiry warning is not merely informational; an expired decryption CA will break SSL decryption functionality, leading to service disruption. Option C is wrong because importing a new server certificate addresses individual server certificates, not the decryption CA certificate that signs them; the CA certificate must be renewed independently. Option D is wrong because disabling decryption until renewal is unnecessary and overly disruptive; the correct action is to proactively renew the CA certificate while the current one is still valid.

331
MCQmedium

A security administrator is configuring an address object for a web server accessible from the internet. The server has a public IP of 203.0.113.10/32 and a private IP of 10.0.1.10/32. The administrator needs to create a security policy that allows inbound HTTPS traffic to the server. Which address object type should be used for the destination?

A.FQDN (e.g., webserver.example.com)
B.IP Range (e.g., 10.0.1.10-10.0.1.10)
C.IP Wildcard Mask (e.g., 203.0.113.0/0.0.0.255)
D.IP Netmask (e.g., 203.0.113.10/32)
AnswerD

IP Netmask /32 is the correct and most efficient way to represent a single host.

Why this answer

The correct answer is D because the security policy destination must match the IP address that the firewall sees in the packet header. For inbound traffic from the internet, the destination IP is the public IP 203.0.113.10/32, so an IP Netmask object with that exact address is the appropriate type. Using a /32 netmask ensures a single host match, which is precise and efficient for firewall rule evaluation.

Exam trap

The trap here is that candidates often confuse the private IP (used internally) with the public IP (used for inbound internet traffic), leading them to select an object type that references the private address, such as IP Range or FQDN, instead of the correct public IP Netmask.

How to eliminate wrong answers

Option A is wrong because an FQDN object resolves to an IP address dynamically, but the firewall policy must match the static public IP in the packet; FQDN is typically used for outbound traffic or when the IP changes frequently, not for a fixed public server. Option B is wrong because an IP Range object (10.0.1.10-10.0.1.10) specifies the private IP, but inbound traffic from the internet arrives with the public IP as the destination, so this would never match. Option C is wrong because an IP Wildcard Mask (203.0.113.0/0.0.0.255) matches a range of addresses (203.0.113.0–203.0.113.255), which is too broad and could allow traffic to unintended hosts, violating the principle of least privilege.

332
MCQeasy

A security administrator notices that traffic from a custom application is being incorrectly identified as web-browsing. What is the most likely cause?

A.The application signature database is outdated.
B.App-ID is disabled on the security rule.
C.The custom application uses HTTP but no specific App-ID signature.
D.Content-ID is blocking the application.
AnswerC

Without a custom signature, App-ID may classify the traffic as web-browsing.

Why this answer

Option C is correct because when a custom application uses HTTP but lacks a specific App-ID signature, Palo Alto Networks firewalls default to classifying the traffic as web-browsing (HTTP). App-ID relies on a combination of protocol decoders and application signatures; without a custom App-ID signature defined for the application, the firewall cannot distinguish it from generic HTTP traffic.

Exam trap

Palo Alto Networks often tests the misconception that an outdated signature database is the root cause, but the trap here is that the custom application has no signature at all, so updating the database would not help—the administrator must create a custom App-ID signature or use an application override.

How to eliminate wrong answers

Option A is wrong because an outdated signature database would affect the identification of known applications, but the issue here is that the custom application has no specific signature at all, not that the signature is stale. Option B is wrong because if App-ID were disabled on the security rule, the firewall would not perform any application identification, and traffic would be classified based on port or IP, not incorrectly identified as web-browsing. Option D is wrong because Content-ID is a separate feature that handles URL filtering, file blocking, and data filtering; it does not affect how traffic is initially identified by App-ID.

333
Multi-Selecteasy

An administrator needs to block all traffic from a specific application that uses multiple ports. Which TWO methods can achieve this? (Choose two.)

Select 2 answers
A.Create a security rule with the application and action 'deny'.
B.Block the common ports used by the application.
C.Disable App-ID on the zone to prevent inspection.
D.Create a security rule allowing the application but with a limit.
E.Use an Application Override to categorize the traffic and then block it.
AnswersA, E

Denying the application blocks all its traffic.

Why this answer

Option A is correct because App-ID identifies traffic based on application signatures, not just ports. By creating a security rule with the specific application and setting the action to 'deny', the firewall blocks all traffic matching that application regardless of the ports or protocols it uses. This is the most precise and effective method to block an application that uses multiple ports.

Exam trap

The trap here is that candidates mistakenly think blocking common ports (Option B) is sufficient, but the exam tests the understanding that App-ID is application-aware and port-independent, making application-based blocking the correct approach.

334
MCQeasy

An organization wants to prevent data exfiltration via DNS tunneling. Which security profile should be applied to the outbound DNS traffic?

A.DNS Security profile
B.Vulnerability Protection profile
C.URL Filtering profile
D.Anti-Spyware profile
AnswerA

DNS Security is designed to detect and block DNS tunneling.

Why this answer

DNS Security profile is specifically designed to detect and block DNS tunneling, which is a technique used to exfiltrate data by encoding it within DNS queries and responses. By inspecting DNS traffic for anomalies such as high query rates, unusual domain names, or non-standard record types, the DNS Security profile can identify and prevent data exfiltration attempts. Other security profiles do not have the specialized DNS-layer inspection capabilities required to counter this threat.

Exam trap

The trap here is that candidates often confuse DNS Security with Anti-Spyware, assuming that spyware signatures will catch tunneling, but DNS tunneling is a protocol-level evasion technique that requires dedicated DNS inspection, not just signature-based malware detection.

How to eliminate wrong answers

Option B is wrong because Vulnerability Protection profile is designed to detect and block exploit attempts targeting known vulnerabilities in applications and operating systems, not to analyze DNS traffic for tunneling or exfiltration patterns. Option C is wrong because URL Filtering profile controls access to web categories and URLs based on policy, but it does not inspect the content or structure of DNS queries to identify tunneling behavior. Option D is wrong because Anti-Spyware profile focuses on blocking malware command-and-control (C2) traffic and spyware signatures, but it lacks the deep DNS protocol analysis needed to detect data exfiltration via DNS tunneling.

335
MCQeasy

A company recently deployed a Palo Alto Networks PA-220 firewall to secure outbound web access. The security policies include a rule named 'Allow-Web' with the following configuration: source zone 'Inside', destination zone 'Outside', application 'web-browsing', service 'application-default', action 'allow'. All other traffic is denied by a default deny rule. Users report that they can access most public websites, but they cannot access a partner's website hosted at 203.0.113.50 on TCP port 8080. Connections to this site time out. DNS resolution for the hostname works correctly. The firewall logs show that traffic from internal users to 203.0.113.50:8080 is not matching any rule and is being denied by the default deny rule. Which action should the administrator take to resolve the issue while adhering to security best practices?

A.Add a new rule before 'Allow-Web' that permits traffic to 203.0.113.50 on any port and any application.
B.Change the service in the 'Allow-Web' rule to 'any' to allow web-browsing on any port.
C.Create a custom application that matches TCP port 8080 for the partner's website and add it to the 'Allow-Web' rule alongside 'web-browsing'.
D.Modify the rule to use application 'any' to allow all applications.
AnswerC

This allows App-ID to recognize the traffic on the non-standard port while maintaining granular control.

Why this answer

Option C is correct because the traffic to 203.0.113.50 on TCP port 8080 is not matching the 'web-browsing' application, which by default only recognizes HTTP (TCP 80) and HTTPS (TCP 443). Creating a custom application that matches TCP port 8080 and adding it to the 'Allow-Web' rule allows the firewall to identify and permit this traffic while still enforcing application-based control, adhering to the security best practice of least privilege.

Exam trap

The trap here is that candidates assume 'web-browsing' will match any HTTP-like traffic regardless of port, but Palo Alto Networks App-ID requires explicit application definition for non-standard ports, and simply changing the service or application to 'any' undermines the security model.

How to eliminate wrong answers

Option A is wrong because permitting traffic to 203.0.113.50 on any port and any application bypasses all application and port restrictions, violating the principle of least privilege and potentially allowing malicious traffic. Option B is wrong because changing the service to 'any' would allow web-browsing on any port, but the traffic on TCP 8080 still does not match the 'web-browsing' application definition, so the rule would not permit it. Option D is wrong because modifying the rule to use application 'any' would allow all applications through the rule, completely defeating the purpose of application-based security and exposing the network to unnecessary risks.

336
MCQeasy

A network administrator adds a new security rule allowing HTTP from the Trust zone to the Untrust zone. After committing, traffic from the Trust zone to the Untrust zone is still blocked. What is the most likely cause?

A.The source zone in the new rule is set to 'Untrust' instead of 'Trust'.
B.The application in the new rule is set to 'ssl' instead of 'http'.
C.The new rule is placed at the bottom of the policy, below an existing deny rule that matches the same traffic.
D.The destination zone in the new rule is set to 'Trust' instead of 'Untrust'.
AnswerC

Correct. Policy evaluation is top-down, so a deny rule above the allow rule will block traffic.

Why this answer

This is the most common cause because security policies are evaluated top-down, and an existing deny rule placed above the new allow rule will match first and block the traffic.

337
Multi-Selectmedium

Which TWO of the following are valid methods to collect a technical support file from a Palo Alto Networks firewall?

Select 2 answers
A.Using the CLI command 'save config to tftp'
B.Using the GUI under Monitor > Packet Capture
C.Using the GUI under Device > Troubleshooting > Generate Tech Support File
D.Using the CLI command 'generate tech-support file'
E.Using the CLI command 'show tech-support'
AnswersC, D

This is the GUI method to generate and download the file.

Why this answer

Option C is correct because the Palo Alto Networks firewall GUI provides a dedicated path under Device > Troubleshooting > Generate Tech Support File to generate and download a comprehensive technical support file. This file bundles logs, configuration, and system state data essential for troubleshooting.

Exam trap

The trap here is confusing the CLI command 'show tech-support' (which is a Cisco IOS command) with the correct Palo Alto Networks command 'generate tech-support file', leading candidates to select an invalid option.

338
Multi-Selectmedium

Which TWO are valid methods for authenticating administrative users on Palo Alto Networks firewalls? (Choose two.)

Select 2 answers
A.Local authentication using local user database
B.RADIUS
C.TACACS
D.SAML
E.LDAP
AnswersA, B

The firewall has a built-in local database for administrator accounts.

Why this answer

Options A and C are correct. The firewall supports local authentication and RADIUS. Option B is wrong because TACACS is not supported (TACACS+ is, but not TACACS).

Option D is wrong because LDAP is used for directory services, not authentication directly (though it can be used for captive portal, but not admin auth). Option E is wrong because SAML is supported for SSO but not typically as a direct admin authentication method.

339
Multi-Selecthard

Which THREE of the following are valid features of Palo Alto Networks active/passive HA?

Select 3 answers
A.Session synchronization from active to passive.
B.Prevention of link monitoring on passive device.
C.Stateful failover of sessions.
D.Automatic synchronization of configuration changes.
E.Load sharing of traffic between both devices.
AnswersA, C, D

Sessions are synced so failover is seamless.

Why this answer

Option A is correct because in Palo Alto Networks active/passive HA, session state information is synchronized from the active firewall to the passive firewall. This ensures that when a failover occurs, the passive device can take over with minimal disruption, maintaining existing sessions without requiring clients to re-establish connections.

Exam trap

The trap here is that candidates often confuse active/passive with active/active HA, assuming that both devices share traffic or that the passive device does not participate in monitoring, when in fact active/passive strictly uses one device for forwarding and the other for standby with full monitoring capabilities.

340
MCQeasy

A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?

A.Allow the traffic because rule 1 matches and allows all web traffic.
B.Allow the traffic because rule 3 allows all traffic.
C.Deny the traffic because no rule allows social-networking.
D.Deny the traffic because rule 2 matches and denies social-networking.
AnswerD

Rule 2 explicitly denies social-networking.

Why this answer

The firewall evaluates rules in order from top to bottom. Rule 2 explicitly denies the application 'social-networking', and since the user at 192.168.1.10 is attempting to access a social-networking site, rule 2 matches before any subsequent rule. Therefore, the traffic is denied.

Option D is correct because rule 2 matches and denies the traffic.

Exam trap

The trap here is that candidates may assume a more permissive rule later in the policy (like rule 3 allowing all traffic) will override an earlier deny rule, but the firewall's first-match logic means the deny rule takes precedence.

How to eliminate wrong answers

Option A is wrong because rule 1 allows all web traffic, but the firewall processes rules sequentially and rule 2 (which denies social-networking) is evaluated before rule 3, so rule 1 does not apply to this traffic. Option B is wrong because rule 3 allows all traffic, but it is only reached if no earlier rule matches; since rule 2 matches and denies the traffic, rule 3 is never evaluated. Option C is wrong because rule 2 explicitly denies social-networking, so there is a rule that denies it; the traffic is denied due to rule 2, not because no rule allows it.

341
MCQeasy

Based on the exhibit, what is the role of the rule "Allow_Outbound"?

A.It is a security rule that allows the session.
B.It is a QoS rule that prioritizes the traffic.
C.It is a NAT rule that translates the source IP.
D.It is a decryption rule that decrypts the traffic.
AnswerA

The session matched rule Allow_Outbound, which is a security rule that permitted the session.

Why this answer

Option B is correct. The session output shows that the session matched rule Allow_Outbound, which allowed the session. The rule is a security rule, not a decryption rule (that is decrypted-policy), not NAT rule, not QoS rule.

342
MCQhard

Refer to the exhibit. An administrator configures decryption for HTTPS traffic from internal users. However, traffic using TLS 1.3 is not being decrypted. Which change should be made to decrypt TLS 1.3 traffic?

A.Change the min-version to 'tls1-3'.
B.Add a new rule for TLS 1.3 traffic.
C.Change the 'ssl-protocol-settings' max-version to 'tls1-3'.
D.Enable 'decrypt-unknown-protocol' to capture all traffic.
AnswerC

The profile currently restricts max version to TLS 1.2. To decrypt TLS 1.3, the max version must be set to tls1-3.

Why this answer

The decryption profile specifies max-version as tls1-2, which prevents decryption of TLS 1.3 traffic. Updating the max-version to tls1-3 allows decryption of TLS 1.3 sessions.

343
MCQhard

A security administrator is troubleshooting a site-to-site IPsec VPN between two Palo Alto Networks firewalls. The Phase 1 proposal includes AES-256, SHA-256, and DH Group 14 with a lifetime of 28800 seconds. The Phase 2 proposal includes AES-256, SHA-256, and PFS with DH Group 14. The tunnel is established and traffic is flowing, but intermittently the tunnel drops and re-establishes. The logs show the following error: 'Phase 2 negotiation failed because no suitable proposal found.' Both firewalls have identical IKE gateway and IPsec crypto profile configurations. Which option is the most likely cause of this issue?

A.The DH group used in Phase 2 is not supported by the firewall model.
B.The IPsec SA lifetime is not configured on one of the firewalls, causing a mismatch.
C.The Phase 2 proposal uses a different DH group than Phase 1.
D.The Phase 1 lifetime is shorter than the Phase 2 lifetime.
AnswerB

Correct: If the IPsec SA lifetime is not explicitly set, the firewall uses a default value that may differ from the peer's configured value, leading to proposal mismatch.

Why this answer

The error 'Phase 2 negotiation failed because no suitable proposal found' indicates a mismatch in the IPsec SA parameters. Even though both firewalls have identical IKE gateway and IPsec crypto profile configurations, if one firewall has an IPsec SA lifetime configured (e.g., 3600 seconds) and the other does not (defaulting to a different value, such as 10800 seconds), the lifetimes will not match, causing intermittent rekey failures. This is the most likely cause because the tunnel initially establishes but drops when rekeying occurs due to the lifetime mismatch.

Exam trap

The trap here is that candidates assume identical IKE gateway and IPsec crypto profile configurations guarantee matching proposals, but they overlook that the IPsec SA lifetime is a separate parameter that must be explicitly set to the same value on both peers, and a default value mismatch is a common cause of intermittent rekey failures.

How to eliminate wrong answers

Option A is wrong because DH Group 14 is widely supported on Palo Alto Networks firewalls, and the question states the tunnel establishes initially, proving the DH group is supported. Option C is wrong because using a different DH group in Phase 2 than Phase 1 is allowed (PFS uses its own DH group), and the error specifically mentions 'no suitable proposal found' for Phase 2, not a DH group mismatch between phases. Option D is wrong because Phase 1 and Phase 2 lifetimes are independent; a shorter Phase 1 lifetime does not cause Phase 2 negotiation failures—Phase 2 rekeys independently of Phase 1 lifetime expiration.

344
Matchingmedium

Match each log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Records session information

Records blocked attacks

Records web browsing activity

Records files sent for analysis

Why these pairings

These are standard log types in PAN-OS.

345
MCQhard

A large enterprise with thousands of security rules wants to reduce rule count without compromising security visibility. The current rules use many specific applications and services. Which strategy should be implemented to consolidate rules effectively?

A.Use only default ports for services to avoid creating service objects.
B.Convert all application-based rules to use service objects instead.
C.Consolidate rules using Security Profile Groups (SPGs) and broader application groups.
D.Place the most specific rules at the top of the rulebase.
AnswerC

SPGs allow multiple rules to reference the same security profiles, reducing rule count while maintaining security posture.

Why this answer

Option D is correct because using Security Profile Groups (SPGs) allows multiple rules to share the same profiles, reducing duplication. Option A is incorrect as using default ports bypasses App-ID. Option B is incorrect because placing specific rules at top does not reduce count.

Option C is incorrect because converting to service objects removes application visibility.

346
MCQmedium

A company deploys a pair of firewalls in Active/Passive HA. To ensure that active sessions are preserved during failover, which interface must be configured for state synchronization?

A.HA3
B.HA1
C.HA2
D.HA4
AnswerA

HA3 is used for session state synchronization.

Why this answer

In an Active/Passive HA pair, state synchronization (session table, ARP table, etc.) is transmitted over the dedicated HA3 interface. This ensures that when a failover occurs, the passive firewall has an exact copy of all active sessions and can continue forwarding traffic without interruption. Without HA3 configured, sessions are not preserved and must be re-established after failover.

Exam trap

The trap here is that candidates often confuse HA2 (used for packet forwarding in Active/Active) with the state sync interface, or assume HA1 handles all synchronization, but Palo Alto Networks specifically separates control (HA1), data (HA2), and state sync (HA3) functions.

How to eliminate wrong answers

Option B (HA1) is wrong because HA1 is the control link used for heartbeat and configuration synchronization, not for session state data. Option C (HA2) is wrong because HA2 is the data link used for packet forwarding and session setup in Active/Active HA, not for state synchronization in Active/Passive. Option D (HA4) is wrong because HA4 is not a standard interface in Palo Alto Networks HA; the valid interfaces are HA1, HA2, and HA3 only.

347
MCQhard

Refer to the exhibit. A packet arrives with source IP 192.168.1.10, destination IP 203.0.113.10, destination port 80, from zone trust. After this NAT rule is applied, what will be the destination IP and port of the packet?

A.Destination IP 10.0.0.5, Destination port 80, Source IP changed to firewall IP
B.Destination IP 203.0.113.10, Destination port 8080
C.Destination IP 203.0.113.10, Destination port 80, Source port changed to 5000
D.Destination IP 10.0.0.5, Destination port 80
AnswerD

The destination NAT translates the destination address and keeps the port as 80.

Why this answer

Option C is correct. The destination NAT rule translates the destination IP from 203.0.113.10 to 10.0.0.5, and the destination port remains 80 (as specified). Option A is wrong because source IP is not changed by this rule (no source NAT configured).

Option B is wrong because the port changes to 8080 is not configured. Option D is wrong because the source port is not modified.

348
MCQmedium

Refer to the exhibit. A security analyst reviews a traffic log entry in JSON format. Which firewall feature is responsible for including the 'user' field in the log?

A.Data Filtering
B.Captive Portal
C.GlobalProtect
D.User-ID
AnswerD

Correct: User-ID maps IP addresses to usernames and includes the user in traffic logs.

Why this answer

The 'user' field in a traffic log is populated by User-ID, which maps IP addresses to usernames by monitoring authentication events from Active Directory, LDAP, or terminal services agents. This allows the firewall to log and enforce policies based on user identity rather than just IP addresses.

Exam trap

The trap here is that candidates confuse Captive Portal (which authenticates users for web access) with User-ID (which passively maps IPs to usernames for logging and policy enforcement), leading them to choose Captive Portal instead of User-ID.

How to eliminate wrong answers

Option A is wrong because Data Filtering is a security profile that controls the transfer of sensitive data patterns (e.g., credit card numbers) in application traffic, not user identity mapping. Option B is wrong because Captive Portal is an authentication mechanism that intercepts HTTP traffic to enforce user login before granting network access, but it does not passively map IP-to-user for all traffic logs; User-ID handles that mapping. Option C is wrong because GlobalProtect is a remote access VPN solution that can provide user identity via its gateway, but the 'user' field in a traffic log is populated by the User-ID agent, not solely by GlobalProtect.

349
Multi-Selecthard

Which three of the following are valid commit options in the PAN-OS GUI? (Choose three.)

Select 3 answers
A.Validate commit
B.Force commit
C.Partial commit
D.Commit all changes
E.Commit to Panorama
AnswersA, C, D

Validate commit checks configuration for errors without applying.

Why this answer

Option A is correct because the PAN-OS GUI provides a 'Validate commit' option that checks the configuration for errors before applying it. This is a standard commit option that ensures the candidate configuration is syntactically and semantically valid, reducing the risk of committing a broken configuration.

Exam trap

The trap here is that candidates may confuse the 'Force commit' CLI command with a GUI option, or mistakenly think 'Commit to Panorama' is a local firewall commit option, when in fact Panorama uses a different workflow for pushing configurations.

350
Multi-Selecthard

An administrator is configuring active/passive HA for two PA-3020 firewalls. Which TWO conditions would trigger a failover? (Choose two.)

Select 2 answers
A.Path monitoring detects unreachable target
B.Heartbeat link failure
C.Active firewall CPU usage exceeds 80%
D.Active firewall's power supply failure
E.Passive firewall loses connectivity to management network
AnswersA, B

Correct: Path monitoring failure triggers failover.

Why this answer

Option A is correct because path monitoring actively probes a target IP address (e.g., a next-hop router) using ICMP or ARP. If the target becomes unreachable, the firewall considers the network path failed and triggers a failover to the passive unit, ensuring traffic continuity even if the control plane is healthy.

Exam trap

The trap here is that candidates often assume high CPU or power supply failures are automatic HA triggers, but Palo Alto's HA failover is based on control-plane and network-path health, not hardware resource utilization or redundant component failures.

351
MCQmedium

An organization has multiple virtual routers on a single firewall. Traffic between two virtual routers must be inspected by security policies. How should this be configured?

A.Place each virtual router's interfaces into different zones, then create inter-zone security rules.
B.Configure static routes between the virtual routers.
C.Enable inter-virtual router routing under the global settings.
D.Apply security policies that match the virtual router as a source or destination.
AnswerA

This ensures traffic is inspected by the security policy.

Why this answer

Option A is correct because inter-zone security rules are required to enforce security policies on traffic between different virtual routers. Each virtual router's interfaces must be assigned to distinct zones, and inter-zone rules inspect traffic crossing from one zone to another, ensuring the firewall applies security controls (e.g., App-ID, User-ID) to the traffic between the virtual routers.

Exam trap

The trap here is that candidates often assume static routes or a global setting can enable inter-VR traffic with security inspection, but they overlook that PAN-OS requires explicit zone-based security rules to inspect traffic between virtual routers.

How to eliminate wrong answers

Option B is wrong because static routes between virtual routers only provide Layer 3 reachability; they do not invoke security policy inspection. Traffic would be forwarded without any firewall enforcement. Option C is wrong because there is no 'inter-virtual router routing' global setting in PAN-OS; virtual routers are isolated by default, and inter-VR traffic must be explicitly routed via a shared interface or zone, with security policies applied.

Option D is wrong because security policies cannot match on the virtual router as a source or destination attribute; policies are based on zones, IP addresses, users, applications, and other criteria, not the virtual router object itself.

352
MCQhard

Refer to the exhibit. A user reports being unable to connect to a website over HTTPS. The traffic log shows the application as 'incomplete' and the rule 'Block-Unknown-App' is matched. What is the most likely reason the application is 'incomplete'?

A.The security rule is misconfigured because it lacks an application field.
B.App-ID has not yet completed identification because the session is new or requires more packets.
C.The firewall does not have an App-ID signature for the website.
D.SSL decryption is not enabled, so App-ID cannot identify HTTPS traffic.
AnswerB

For encrypted traffic, App-ID may need multiple packets to identify the application; until then it shows 'incomplete'.

Why this answer

When a firewall logs an application as 'incomplete', it means App-ID has not yet finished identifying the application for that session. This typically occurs for new sessions or when the firewall needs to see more packets (e.g., the SSL/TLS handshake or additional data) to match a signature. Since the session matched a rule that blocks unknown applications, the firewall is correctly enforcing the policy while App-ID is still in progress.

Exam trap

Palo Alto Networks often tests the distinction between 'incomplete' (App-ID still processing) and 'unknown' (App-ID could not identify the application), so the trap here is assuming 'incomplete' means the firewall lacks a signature or that SSL decryption is mandatory for HTTPS identification.

How to eliminate wrong answers

Option A is wrong because the rule does have an application field (it matches 'unknown-app'), so the misconfiguration is not about a missing application field. Option C is wrong because 'incomplete' does not mean the firewall lacks a signature; it means the identification process is still ongoing, not that the signature is absent. Option D is wrong because SSL decryption is not required for App-ID to identify HTTPS traffic; App-ID can identify many HTTPS applications using metadata such as SNI, JA3 fingerprints, or IP addresses without decrypting the traffic.

353
MCQeasy

A company wants to decrypt all SSL traffic from internal users to external websites. They have deployed a Palo Alto Networks firewall in forward proxy mode and installed a trusted root CA certificate on all endpoints. Users, however, are complaining about certificate errors when accessing HTTPS sites. Which configuration step is most likely missing?

A.The decryption profile is set to block sessions with untrusted certificates.
B.The firewall is performing inbound inspection instead of forward proxy.
C.The firewall's decryption certificate is not signed by the installed root CA.
D.No decryption profile is attached to the decryption rule.
AnswerC

The firewall's decryption certificate must be signed by the root CA installed on endpoints; otherwise, errors occur.

Why this answer

Option C is correct because in forward proxy decryption, the firewall generates a decryption certificate that must be signed by the trusted root CA installed on the endpoints. If the decryption certificate is self-signed or signed by a different CA, the browser will not trust it, causing certificate errors. The root CA certificate must be installed on all endpoints to establish a chain of trust for the firewall-generated certificates.

Exam trap

The trap here is that candidates often confuse the need for a decryption profile (Option D) with the fundamental requirement of a trusted root CA certificate, or they mistakenly think blocking untrusted certificates (Option A) is the cause of errors rather than a consequence of missing trust.

How to eliminate wrong answers

Option A is wrong because blocking sessions with untrusted certificates would prevent access entirely, not cause certificate errors; the complaint is about errors, not blocked access. Option B is wrong because inbound inspection is used for decrypting traffic destined to internal servers, not for outbound SSL traffic from internal users to external websites, which requires forward proxy mode. Option D is wrong because even without a decryption profile attached, the decryption rule would still apply default decryption settings; the missing step is the certificate trust chain, not the profile attachment.

354
MCQhard

Refer to the exhibit. An administrator wants to block all traffic that does not match a specific application (e.g., only allow 'web-browsing'). What should be done?

A.Use a file blocking profile.
B.Change application to ['unknown-tcp', 'unknown-udp'].
C.Change category to ['misccategory'].
D.Change action to 'deny' and create a new rule with application ['web-browsing'] above it.
AnswerD

A deny-all rule at the bottom with specific allow rules above is best practice.

Why this answer

Option D is correct because to enforce an allow-list approach for a specific application like 'web-browsing', you must first create a rule that denies all traffic (action 'deny') and then place a higher-priority rule above it that explicitly allows only 'web-browsing'. This ensures that any traffic not matching the allowed application is blocked by the default-deny rule, leveraging App-ID's ability to identify applications regardless of port or protocol.

Exam trap

Palo Alto Networks often tests the misconception that you can block all non-matching traffic by simply changing the action of the existing rule to 'deny' without adding a separate allow rule above it, but that would block everything including the desired application.

How to eliminate wrong answers

Option A is wrong because file blocking profiles are used to block specific file types (e.g., executables, PDFs) within allowed application traffic, not to block entire applications or non-matching traffic. Option B is wrong because changing the application to ['unknown-tcp', 'unknown-udp'] would only match traffic that App-ID cannot identify, not block all non-'web-browsing' traffic; it would also allow unknown traffic that might be malicious. Option C is wrong because changing the category to ['misccategory'] would only match traffic categorized as miscellaneous, which is a subset of unknown or uncategorized traffic, not a comprehensive block for all non-'web-browsing' applications.

355
MCQmedium

A company is expanding its network and needs to add a new data center. The two data centers will be connected via a WAN link. To protect the traffic between data centers, the security team wants to use site-to-site VPNs. Which Palo Alto Networks feature is used to route traffic between VPN tunnels and security zones?

A.Virtual routers
B.Virtual wires
C.Security policies
D.Interface management profiles
AnswerA

Virtual routers handle routing and can direct traffic into and out of VPN tunnels.

Why this answer

Virtual routers are the correct feature because they function as Layer 3 routing instances within Palo Alto Networks firewalls, enabling the routing of traffic between VPN tunnels (which terminate on tunnel interfaces) and security zones. When a site-to-site VPN is configured, the tunnel interface is assigned to a virtual router, which then uses static or dynamic routing protocols (e.g., BGP, OSPF) to forward traffic between the tunnel and the zone's egress interface. This allows the firewall to make forwarding decisions between the encrypted VPN path and the protected internal network segments.

Exam trap

The trap here is that candidates often confuse security policies with routing decisions, mistakenly thinking that policies control traffic flow between zones, when in fact virtual routers handle the actual Layer 3 forwarding and path selection between VPN tunnels and security zones.

How to eliminate wrong answers

Option B (Virtual wires) is wrong because virtual wires operate at Layer 2, acting as a transparent bridge between two interfaces without performing any routing or Layer 3 forwarding, making them unsuitable for routing traffic between VPN tunnels and security zones. Option C (Security policies) is wrong because security policies control access by permitting or denying traffic based on source/destination zones, users, and applications, but they do not perform routing functions or determine the path traffic takes between VPN tunnels and zones. Option D (Interface management profiles) is wrong because these profiles define management access permissions (e.g., ping, SSH, HTTPS) on an interface and have no role in routing or forwarding traffic between VPN tunnels and security zones.

356
MCQeasy

An administrator wants to configure the firewall to automatically synchronize its clock with an external NTP server. Which device management section is used?

A.Device > Setup > Management
B.Device > High Availability
C.Device > Setup > Operations
D.Device > Server Monitoring
E.Device > Setup > Services
AnswerE

NTP server and other time settings are configured here.

Why this answer

Option E is correct because NTP synchronization is configured under Device > Setup > Services in the PAN-OS web interface. This section contains the NTP server settings where you can specify primary and secondary NTP servers, and the firewall will automatically synchronize its clock with them using the Network Time Protocol (NTP) on UDP port 123.

Exam trap

The trap here is that candidates confuse Device > Setup > Services with Device > Setup > Management, thinking NTP is a management-level setting, but Services is the correct section for time synchronization services.

How to eliminate wrong answers

Option A is wrong because Device > Setup > Management is used for configuring management interface settings, authentication, and administrator access, not NTP services. Option B is wrong because Device > High Availability is used for configuring firewall clustering and failover settings, not time synchronization. Option C is wrong because Device > Setup > Operations is used for tasks like loading configurations, rebooting, or performing maintenance operations, not for NTP configuration.

Option D is wrong because Device > Server Monitoring is used for configuring SNMP or syslog monitoring, not for NTP server settings.

357
MCQmedium

An administrator needs to allow traffic from multiple subnets to a specific internal server. The subnets are all part of the same address group. Which object would simplify the security policy rule?

A.Tag
B.Schedule
C.Service group
D.Address group
AnswerD

Address groups combine multiple address objects, simplifying policy creation.

Why this answer

Option D is correct because an address group allows the administrator to group multiple subnets into a single object, which can then be referenced in a security policy rule. This simplifies rule management by reducing the number of individual source address entries needed, making the policy easier to maintain and audit.

Exam trap

The trap here is that candidates may confuse address groups with service groups, thinking both are used for grouping, but service groups only apply to ports/protocols, not IP addresses or subnets.

How to eliminate wrong answers

Option A is wrong because tags are used for policy rule categorization and filtering in the management interface, not for grouping IP addresses or subnets. Option B is wrong because schedules define time-based access windows and have no relation to grouping subnets for source matching. Option C is wrong because service groups are used to combine multiple protocols or ports (e.g., TCP/80 and TCP/443) into a single object, not to group IP addresses or subnets.

358
MCQhard

A large enterprise uses Palo Alto Networks firewalls with SSL Forward Proxy to inspect all HTTPS traffic (port 443) from internal users. Recently, users have reported slow web browsing and intermittent failures when accessing certain financial and healthcare websites. The firewall's dataplane CPU consistently reaches 85-95% during business hours. The decryption policy is configured with a single rule that decrypts all outbound HTTPS traffic using the default SSL Forward Proxy settings. The firewall is a PA-5250 with ample license capacity. What should the administrator do to resolve the performance issues while maintaining security posture?

A.Increase the maximum number of concurrent SSL sessions allowed.
B.Disable decryption for high-bandwidth websites such as video streaming services.
C.Implement decryption exclusion rules for financial and healthcare websites.
D.Enable hardware acceleration for SSL decryption.
AnswerC

Excluding problematic sites reduces decryption overhead while maintaining security on most traffic.

Why this answer

Option C is correct because financial and healthcare websites often use certificate pinning or require specific cipher suites that may not be compatible with the firewall's default SSL Forward Proxy settings. By excluding these sites from decryption, the administrator reduces the decryption load on the dataplane CPU and avoids breaking connectivity to sensitive sites, while still decrypting the majority of HTTPS traffic to maintain security posture.

Exam trap

The trap here is that candidates may assume hardware acceleration (Option D) is a magic fix for all performance issues, but in reality, the PA-5250 already has it enabled, and the bottleneck is the CPU's capacity to handle the cryptographic operations, not the acceleration feature itself.

How to eliminate wrong answers

Option A is wrong because increasing the maximum number of concurrent SSL sessions would increase the CPU load, not reduce it, as the firewall would attempt to handle more simultaneous decryption operations, worsening the high CPU issue. Option B is wrong because disabling decryption for high-bandwidth websites like video streaming services would reduce CPU load but would also bypass security inspection for a large volume of traffic, weakening the security posture and potentially allowing threats to hide in encrypted streams. Option D is wrong because the PA-5250 already has hardware acceleration for SSL decryption enabled by default; the issue is not a lack of hardware support but rather the CPU being overwhelmed by the sheer volume of decryption operations, and enabling it again would have no effect.

359
MCQeasy

An administrator needs to back up the firewall configuration before making changes. Which method creates a complete backup that can be restored to the same or a different firewall?

A.Use the 'Device > Setup > Operations > Save named configuration snapshot' option
B.Use the 'Save Candidate Config' option in the GUI
C.Use the CLI command 'show config running' and copy the output
D.Use the 'Device > Setup > Operations > Export named configuration snapshot' and select 'running-config.xml'
AnswerD

This exports the full running configuration as an XML file that can be imported later.

Why this answer

Option D is correct because exporting the running-config.xml via 'Device > Setup > Operations > Export named configuration snapshot' creates a complete XML backup of the entire running configuration. This file can be imported and restored to the same or a different firewall of the same model and PAN-OS version, ensuring full recovery of all settings, including network, policy, and object configurations.

Exam trap

The trap here is that candidates confuse a local snapshot (Option A) or a candidate config save (Option B) with a portable, exportable backup, or mistakenly think a CLI text output (Option C) is sufficient for restoration, when only the exported XML file supports full cross-firewall restore.

How to eliminate wrong answers

Option A is wrong because 'Save named configuration snapshot' creates a point-in-time snapshot stored locally on the firewall, which is not exportable and cannot be restored to a different firewall. Option B is wrong because 'Save Candidate Config' only saves the pending candidate configuration to the running configuration, not a full backup; it does not produce an exportable file. Option C is wrong because 'show config running' outputs the running configuration as text to the CLI, which is not a structured XML backup and cannot be directly imported for restoration; it is intended for viewing, not backup and restore.

360
MCQeasy

A small business has a Palo Alto Networks firewall with a single security policy rule that allows all traffic from the 'Trust' zone to the 'Untrust' zone. The business recently experienced a malware infection originating from an internal host that communicated with known malicious IP addresses. The administrator wants to implement a security policy to block traffic to these malicious IP destinations. The administrator has a list of 500 malicious IP addresses that may change frequently. What is the most efficient way to create a policy to block traffic to these IPs?

A.Create a security rule with an address group containing the 500 IPs as destination, action deny, placed above the allow rule.
B.Create a security rule with source zone Trust, destination zone Untrust, source address list containing the 500 IPs, action deny.
C.Create an External Dynamic List (EDL) of the malicious IPs and reference it in a security rule as destination address, with action deny, placed above the allow rule.
D.Create a security rule with source zone Trust, destination zone Untrust, destination address list containing the 500 IPs as separate address objects, action deny, placed above the allow rule.
AnswerC

Correct. EDLs simplify management and allow automatic updates, making them the most efficient choice for frequently changing lists.

Why this answer

External Dynamic Lists (EDLs) are designed to manage large, frequently updated lists of IP addresses. They integrate with security rules and can be updated automatically, minimizing administrative overhead.

361
MCQhard

A company has a Palo Alto firewall with both inbound and outbound decryption. The security team notices that some traffic to a specific internal server is being double-decrypted: first by inbound decryption when the client is internal, and second by outbound decryption when the server initiates connections to external resources. This causes performance issues and certificate warnings. The firewall policy has separate rules for inbound and outbound decryption, and all internal traffic passes through the firewall. How should the administrator resolve this?

A.Create a decryption exclusion rule for traffic between internal clients and the internal server.
B.Ensure that the inbound decryption rule only applies to traffic from external sources, not internal.
C.Disable outbound decryption for the subnet of the internal server.
D.Use a no-decrypt rule for traffic from the internal server's IP to the internet.
AnswerB

By restricting the source zone to Untrust, internal clients will not be subject to inbound decryption, eliminating double decryption.

Why this answer

The core issue is that inbound decryption is incorrectly applied to traffic from internal clients to the internal server, causing double decryption when the server subsequently initiates outbound connections. By ensuring the inbound decryption rule only applies to traffic from external sources (i.e., source zone is untrust), internal-to-internal traffic bypasses inbound decryption, eliminating the double-decryption loop. This aligns with best practices where inbound decryption is scoped to traffic originating outside the network.

Exam trap

The trap here is that candidates may focus on excluding specific traffic (options A, C, D) rather than correcting the zone-based scope of the inbound decryption rule, which is the fundamental cause of the double-decryption problem.

How to eliminate wrong answers

Option A is wrong because a decryption exclusion rule would prevent decryption of traffic between internal clients and the internal server, but it does not address the root cause—the inbound decryption rule incorrectly matching internal traffic—and may still allow the server's outbound decryption to cause certificate warnings. Option C is wrong because disabling outbound decryption for the internal server's subnet would prevent legitimate decryption of the server's outbound traffic to external resources, potentially breaking security inspection for that traffic. Option D is wrong because a no-decrypt rule for the internal server's IP to the internet only stops outbound decryption for that server, but does not fix the inbound decryption misapplication that causes the initial double-decryption when internal clients connect to the server.

362
Multi-Selecthard

Which TWO factors affect the order in which security rules are evaluated?

Select 2 answers
A.Application used in the rule.
B.Rule hit count.
C.Whether the rule is intra-zone or inter-zone.
D.Rule position in the rulebase (top-down).
E.Rule action (allow or deny).
AnswersC, D

Intra-zone rules are evaluated before inter-zone rules in the same policy set.

Why this answer

A and B are correct. Rule priority is determined by its position (top-down). Intra-zone vs inter-zone rules are evaluated separately in their respective sections.

C is wrong because hit count does not affect order. D is wrong because rule type (allow/deny) does not determine evaluation order. E is wrong because application does not change evaluation order.

363
MCQmedium

A firewall administrator needs to generate a report that shows the top applications consuming bandwidth over the last week. Which Palo Alto Networks tool should be used?

A.Predefined reports.
B.Traffic log viewer.
C.Application Command Center (ACC).
D.Packet capture (PCAP).
AnswerC

ACC provides an intuitive dashboard with application breakdowns and top usage.

Why this answer

Option C is correct. The ACC (Application Command Center) provides a visual overview of application usage and can filter by time. Option A is wrong because the log viewer shows raw logs, not aggregated reports.

Option B is wrong because predefined reports are scheduled, not interactive. Option D is wrong because packet capture is for troubleshooting individual flows.

364
MCQhard

During a security audit, it is discovered that FTP traffic over non-standard ports is bypassing App-ID inspection. What is the most effective method to ensure all FTP traffic is identified, regardless of port?

A.Update the App-ID and threat databases to the latest version.
B.Set the security policy to 'allow' without App-ID to ensure FTP works.
C.Add the non-standard port to the FTP service definition.
D.Create an Application Override rule for FTP on the required source and destination addresses.
AnswerD

Application Override forces App-ID to treat the traffic as FTP.

Why this answer

Option A is correct because an Application Override for FTP can be configured to identify FTP traffic on any port by specifying the application and source/destination. Option B is wrong because disabling App-ID removes inspection. Option C is wrong because updating App-ID database does not change detection behavior for custom ports.

Option D is wrong because Service definitions are port-based, not application-based.

365
MCQeasy

A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?

A.The source IP is negated in the rule.
B.The rule is placed at the top of the rulebase and overridden by a later rule.
C.The rule is positioned below an allow rule that matches the same traffic.
D.The rule is disabled in the rulebase.
AnswerC

First match wins, so the allow rule matches before the block rule.

Why this answer

Option C is correct because the Palo Alto Networks firewall evaluates security rules in top-down order, from the first rule in the rulebase to the last. If a rule that allows traffic is placed higher in the list, it will match and permit the traffic before the lower-placed block rule is ever evaluated. The block rule at the bottom is effectively never reached for that traffic, which is why the intended blocking action fails.

Exam trap

The trap here is that candidates may think rule order does not matter or that a block rule can override an allow rule regardless of position, but Palo Alto Networks enforces strict top-down evaluation where the first match wins, so a lower rule cannot override a higher rule's action.

How to eliminate wrong answers

Option A is wrong because negating the source IP in the rule would mean the rule matches traffic from any IP except the specified one, which would not block the intended IP; however, the question states the rule is intended to block a specific IP, and the issue is the rule's position, not its logic. Option B is wrong because if the rule were at the top of the rulebase, it would be evaluated first and would not be overridden by a later rule (Palo Alto Networks uses first-match, not last-match, semantics). Option D is wrong because a disabled rule is simply skipped during evaluation and would not cause traffic to be allowed by a higher rule; the traffic would still be evaluated against other enabled rules in order.

366
MCQhard

After a policy change, a security administrator commits the candidate configuration, but the changes do not take effect immediately for all users. Some users report connectivity issues while others do not. What should the administrator check first?

A.The new rule has an incorrect source zone.
B.There is a mismatch between the virtual wire vs layer3 interface.
C.The committed configuration is still in candidate state.
D.The commit was successful but the changes are applied only to new sessions, not existing sessions.
AnswerD

Policy changes only affect new sessions; existing sessions continue with the old policy until they timeout.

Why this answer

Option D is correct because policy changes affect new sessions; existing sessions continue with old policy until timeout. Option A is false; commit finalizes the configuration. Option B is not related.

Option C would affect all users, not some.

367
MCQmedium

A company wants to block all traffic from the Guest zone to the Corporate zone except DNS. What is the best practice for configuring the security policy?

A.Create a deny rule for any traffic from Guest to Corporate, placed above an allow rule for DNS.
B.Rely on the interzone default rule, which blocks all traffic, and add a rule to allow DNS.
C.Create an allow rule for DNS from Guest to Corporate, placed above a deny rule for any other traffic.
D.Create a universal rule that applies to all zones with action 'allow' for DNS and 'deny' for everything else.
AnswerC

Correct. Placing the specific allow rule above the general deny rule ensures DNS is allowed and all else is blocked.

Why this answer

Best practice is to place the allow rule before the deny rule to ensure permitted traffic is not blocked by a broader deny rule.

368
MCQeasy

Based on the exhibit, what action did the firewall take on this traffic?

A.Reset the connection.
B.Blocked the URL.
C.Allowed the traffic.
D.Denied the traffic.
AnswerC

The log entry shows 'allow' as the action.

Why this answer

The exhibit shows a traffic log entry with the action 'allow' (or a green checkmark indicating a permit), meaning the firewall evaluated the traffic against security policies and determined it matched a rule set to allow. The session was established and forwarded without being blocked or reset, confirming the correct answer is C.

Exam trap

The trap here is that candidates may confuse the firewall's action with the result of a security profile (e.g., URL filtering or threat prevention), but the question specifically asks for the action taken on the traffic, which is determined solely by the security policy rule's action field.

How to eliminate wrong answers

Option A is wrong because a reset action would appear as 'reset-server' or 'reset-client' in the log, not 'allow', and would terminate the TCP connection with a RST flag. Option B is wrong because URL blocking is a specific action under URL filtering profiles, which would log a 'block-url' action, not a general 'allow'. Option D is wrong because 'denied' traffic would show an action of 'deny' or 'drop' in the log, and the session would not be established.

369
MCQeasy

A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?

A.Create a security policy rule that allows traffic from the internal zone to the external zone
B.Define a NAT policy to translate internal IPs to the external interface
C.Enable SSL decryption on the firewall
D.Configure a virtual wire between the internal and external interfaces
AnswerA

Security policies enforce inspection and control.

Why this answer

Option A is correct because in a Layer 3 firewall deployment with virtual wire subinterfaces, traffic inspection is governed by security policy rules. A rule allowing traffic from the internal zone to the external zone ensures that all outbound traffic is evaluated and inspected by the firewall, as security policies are the primary mechanism for controlling and logging traffic in Palo Alto Networks firewalls.

Exam trap

The trap here is that candidates often confuse NAT or decryption as the primary mechanism for traffic inspection, but in Palo Alto Networks firewalls, security policies are the fundamental control that enables inspection and logging of traffic.

How to eliminate wrong answers

Option B is wrong because NAT policies translate IP addresses but do not enable traffic inspection; inspection requires a security policy rule. Option C is wrong because SSL decryption is an additional feature for inspecting encrypted traffic, but it is not required to ensure all traffic is inspected; a security policy must still be in place. Option D is wrong because a virtual wire is a Layer 2 deployment method, not a Layer 3 mode; the question specifies Layer 3 mode with virtual wire subinterfaces, which are used for VLAN tagging, not for creating a virtual wire between interfaces.

370
MCQmedium

An organization uses a Palo Alto Networks firewall to segment its network into three zones: Corp (10.0.1.0/24), Guest (10.0.2.0/24), and Mgmt (10.0.3.0/24). The firewall is running PAN-OS 10.0. The administrator wants to ensure that only devices from the Corp zone can access the management interface of the firewall via SSH from the internal network. The management interface is physically connected to the Mgmt network, and its IP is 10.0.3.1/24. A security policy must be configured to permit this access. Which approach should the administrator take?

A.Create a policy with source zone Corp, destination zone Mgmt, and service SSH. Ensure that the management interface is included as a destination in the policy.
B.Use the built-in admin access control list in firewall settings to permit SSH from Corp subnet, and disable all other management protocols.
C.Create a security policy with source zone Corp, destination zone Mgmt, and application SSH, and also create a static route to the Mgmt network.
D.Configure an interface management profile on the Mgmt interface that allows SSH only from the Corp subnet (10.0.1.0/24), and apply it to the management interface.
AnswerD

Interface Management Profiles control which services and source IPs can access the firewall's management plane on a per-interface basis; this is the correct method.

Why this answer

Option B is correct. Management access to the firewall's control plane is controlled by Interface Management Profiles, not security policies. Security policies govern data plane traffic that passes through the firewall, not traffic destined to the firewall itself.

Therefore, the correct method is to configure an Interface Management Profile on the Mgmt interface that permits SSH only from the Corp subnet. Option A incorrectly uses a security policy. Option C also misapplies security policy.

Option D describes an alternative method (Management Access List), but Interface Management Profiles are the standard and more flexible approach, and the question specifically asks for the correct one in this context.

371
MCQeasy

A small business uses a Palo Alto Networks PA-220 firewall. The administrator needs to create a security policy to allow inbound VPN connections from remote employees using IPsec. The remote employees connect using dynamic IP addresses. The administrator creates an address object "Remote-VPN-Users" of type "IP Range" but that doesn't work because the IPs are not known. What address object type should be used instead?

A.IP Netmask
B.Any (0.0.0.0/0)
C.FQDN
D.IP Wildcard Mask
AnswerB

Using 'Any' as source allows all IP addresses, which is the only way to accommodate dynamic remote users.

Why this answer

The correct answer is B because when remote employees connect using dynamic IP addresses, the source IP is unknown and cannot be defined by a static address object. Using 'Any' (0.0.0.0/0) as the source address in the security policy allows the firewall to accept IPsec VPN traffic from any source IP, which is necessary for clients with dynamic addresses. This is a common practice for remote access VPN configurations where the peer IP is not predetermined.

Exam trap

The trap here is that candidates may think an IP range or netmask can be used to cover a broad set of dynamic IPs, but they fail to recognize that dynamic IPs are unpredictable and cannot be enumerated, making 'Any' the only viable option for source address in remote access VPN policies.

How to eliminate wrong answers

Option A is wrong because IP Netmask requires a specific subnet or host IP, which is not possible when remote users have dynamic IPs that change each connection. Option C is wrong because FQDN resolves to a static IP address or set of IPs, but dynamic IPs are not reliably mapped to a single FQDN, and the firewall would need DNS resolution at policy evaluation time, which is not suitable for dynamic IPsec peers. Option D is wrong because IP Wildcard Mask is used for matching ranges of IPs in a bitwise pattern (similar to ACLs), but it still requires a known range or pattern, which is not feasible when the IPs are completely unknown and dynamic.

372
MCQhard

Two Palo Alto Networks firewalls are configured in an active/passive high-availability pair. During a failover event, the passive firewall becomes active but the session table is empty. What is the most likely cause?

A.Session synchronization is not configured
B.The preemptive mode is disabled
C.Heartbeat failure caused the failover to be incomplete
D.The sessions timed out during the failover
AnswerA

Session sync must be enabled in the HA configuration to maintain sessions during failover.

Why this answer

In an active/passive high-availability pair, session synchronization must be explicitly configured to replicate session state from the active firewall to the passive firewall. Without this configuration, the passive firewall has no session table when it becomes active, causing all existing connections to be dropped. This is the most direct cause of an empty session table after failover.

Exam trap

The trap here is that candidates may assume session state is automatically synchronized in an HA pair, but Palo Alto Networks requires explicit configuration of session synchronization via the HA setup, and failing to enable it leaves the passive firewall without session data.

How to eliminate wrong answers

Option B is wrong because disabling preemptive mode only prevents the original active firewall from automatically reclaiming its role after recovery; it does not affect session synchronization or cause an empty session table. Option C is wrong because a heartbeat failure would trigger the failover itself, but if the failover completes and the passive becomes active, the session table would still be empty only if session sync is missing; an incomplete failover would not result in an active firewall with an empty table. Option D is wrong because sessions do not time out during the brief failover event; session timeout values (e.g., TCP default 3600 seconds) are far longer than the failover duration, and the empty table is due to lack of synchronization, not timeout.

373
MCQeasy

An administrator wants to view logs related to decryption failures. Which log type should they use?

A.Traffic logs
B.Threat logs
C.URL Filtering logs
D.System logs
AnswerA

Traffic logs include fields for decryption status and failure reason.

Why this answer

Traffic logs capture all session-level events, including decryption failures, because they record the action taken by the firewall (e.g., 'decrypt', 'no-decrypt', or 'decrypt-error'). When decryption fails due to issues like certificate validation errors, unsupported cipher suites, or handshake failures, the firewall logs the session as a traffic log entry with a specific reason code. This makes Traffic logs the correct source for troubleshooting decryption failures.

Exam trap

The trap here is that candidates confuse 'decryption failures' with 'threat events' and select Threat logs, not realizing that decryption errors are session-level actions logged in Traffic logs, not security threat detections.

How to eliminate wrong answers

Option B (Threat logs) is wrong because threat logs record malware, exploits, and vulnerability events, not decryption failures. Option C (URL Filtering logs) is wrong because URL filtering logs track website categorization and access decisions, not the cryptographic handshake or certificate errors. Option D (System logs) is wrong because system logs capture administrative events, system health, and configuration changes, not per-session decryption errors.

374
Multi-Selectmedium

Which three of the following are true about tag-based dynamic address groups? (Choose three.)

Select 3 answers
A.Tags can be applied to address objects
B.When an address object's tags change, dynamic groups are updated immediately after commit
C.A dynamic address group can match on one or more tags
D.A static address group can also use tags for matching
E.Tags are case-sensitive
AnswersA, B, C

Tags are metadata that can be assigned to address objects.

Why this answer

Option A is correct because tags are metadata labels that can be applied to address objects in Palo Alto Networks firewalls. This allows you to categorize objects flexibly, and dynamic address groups use these tags to automatically include or exclude objects based on tag membership.

Exam trap

Palo Alto Networks often tests the misconception that tags are case-sensitive, but in Palo Alto Networks, tags are case-insensitive, and candidates may also incorrectly assume static groups can use tags for dynamic matching.

375
MCQeasy

An administrator wants to block traffic from a specific user using User-ID. What is required to identify users in security policies?

A.Deploy SSL decryption to see user credentials.
B.Configure User-ID by integrating with Active Directory or using captive portal.
C.Enable URL Filtering to track user visits.
D.Activate App-ID to detect user login events.
AnswerB

User-ID maps IP addresses to usernames.

Why this answer

Option A is correct because User-ID requires user mapping from AD, captive portal, or other methods. Option B is wrong because URL filtering is separate. Option C is wrong because decryption is not needed for user identification.

Option D is wrong because application identification is different.

Page 4

Page 5 of 7

Page 6

All pages