CCNA Device Management and Services Questions

41 of 116 questions · Page 2/2 · Device Management and Services · Answers revealed

76
MCQmedium

Refer to the exhibit. A security analyst reviews a traffic log entry in JSON format. Which firewall feature is responsible for including the 'user' field in the log?

A.Data Filtering
B.Captive Portal
C.GlobalProtect
D.User-ID
AnswerD

Correct: User-ID maps IP addresses to usernames and includes the user in traffic logs.

Why this answer

The 'user' field in a traffic log is populated by User-ID, which maps IP addresses to usernames by monitoring authentication events from Active Directory, LDAP, or terminal services agents. This allows the firewall to log and enforce policies based on user identity rather than just IP addresses.

Exam trap

The trap here is that candidates confuse Captive Portal (which authenticates users for web access) with User-ID (which passively maps IPs to usernames for logging and policy enforcement), leading them to choose Captive Portal instead of User-ID.

How to eliminate wrong answers

Option A is wrong because Data Filtering is a security profile that controls the transfer of sensitive data patterns (e.g., credit card numbers) in application traffic, not user identity mapping. Option B is wrong because Captive Portal is an authentication mechanism that intercepts HTTP traffic to enforce user login before granting network access, but it does not passively map IP-to-user for all traffic logs; User-ID handles that mapping. Option C is wrong because GlobalProtect is a remote access VPN solution that can provide user identity via its gateway, but the 'user' field in a traffic log is populated by the User-ID agent, not solely by GlobalProtect.

77
Multi-Selecthard

Which three of the following are valid commit options in the PAN-OS GUI? (Choose three.)

Select 3 answers
A.Validate commit
B.Force commit
C.Partial commit
D.Commit all changes
E.Commit to Panorama
AnswersA, C, D

Validate commit checks configuration for errors without applying.

Why this answer

Option A is correct because the PAN-OS GUI provides a 'Validate commit' option that checks the configuration for errors before applying it. This is a standard commit option that ensures the candidate configuration is syntactically and semantically valid, reducing the risk of committing a broken configuration.

Exam trap

The trap here is that candidates may confuse the 'Force commit' CLI command with a GUI option, or mistakenly think 'Commit to Panorama' is a local firewall commit option, when in fact Panorama uses a different workflow for pushing configurations.

78
Multi-Selecthard

An administrator is configuring active/passive HA for two PA-3020 firewalls. Which TWO conditions would trigger a failover? (Choose two.)

Select 2 answers
A.Path monitoring detects unreachable target
B.Heartbeat link failure
C.Active firewall CPU usage exceeds 80%
D.Active firewall's power supply failure
E.Passive firewall loses connectivity to management network
AnswersA, B

Correct: Path monitoring failure triggers failover.

Why this answer

Option A is correct because path monitoring actively probes a target IP address (e.g., a next-hop router) using ICMP or ARP. If the target becomes unreachable, the firewall considers the network path failed and triggers a failover to the passive unit, ensuring traffic continuity even if the control plane is healthy.

Exam trap

The trap here is that candidates often assume high CPU or power supply failures are automatic HA triggers, but Palo Alto's HA failover is based on control-plane and network-path health, not hardware resource utilization or redundant component failures.

79
MCQeasy

An administrator wants to configure the firewall to automatically synchronize its clock with an external NTP server. Which device management section is used?

A.Device > Setup > Management
B.Device > High Availability
C.Device > Setup > Operations
D.Device > Server Monitoring
E.Device > Setup > Services
AnswerE

NTP server and other time settings are configured here.

Why this answer

Option E is correct because NTP synchronization is configured under Device > Setup > Services in the PAN-OS web interface. This section contains the NTP server settings where you can specify primary and secondary NTP servers, and the firewall will automatically synchronize its clock with them using the Network Time Protocol (NTP) on UDP port 123.

Exam trap

The trap here is that candidates confuse Device > Setup > Services with Device > Setup > Management, thinking NTP is a management-level setting, but Services is the correct section for time synchronization services.

How to eliminate wrong answers

Option A is wrong because Device > Setup > Management is used for configuring management interface settings, authentication, and administrator access, not NTP services. Option B is wrong because Device > High Availability is used for configuring firewall clustering and failover settings, not time synchronization. Option C is wrong because Device > Setup > Operations is used for tasks like loading configurations, rebooting, or performing maintenance operations, not for NTP configuration.

Option D is wrong because Device > Server Monitoring is used for configuring SNMP or syslog monitoring, not for NTP server settings.

80
MCQeasy

An administrator needs to back up the firewall configuration before making changes. Which method creates a complete backup that can be restored to the same or a different firewall?

A.Use the 'Device > Setup > Operations > Save named configuration snapshot' option
B.Use the 'Save Candidate Config' option in the GUI
C.Use the CLI command 'show config running' and copy the output
D.Use the 'Device > Setup > Operations > Export named configuration snapshot' and select 'running-config.xml'
AnswerD

This exports the full running configuration as an XML file that can be imported later.

Why this answer

Option D is correct because exporting the running-config.xml via 'Device > Setup > Operations > Export named configuration snapshot' creates a complete XML backup of the entire running configuration. This file can be imported and restored to the same or a different firewall of the same model and PAN-OS version, ensuring full recovery of all settings, including network, policy, and object configurations.

Exam trap

The trap here is that candidates confuse a local snapshot (Option A) or a candidate config save (Option B) with a portable, exportable backup, or mistakenly think a CLI text output (Option C) is sufficient for restoration, when only the exported XML file supports full cross-firewall restore.

How to eliminate wrong answers

Option A is wrong because 'Save named configuration snapshot' creates a point-in-time snapshot stored locally on the firewall, which is not exportable and cannot be restored to a different firewall. Option B is wrong because 'Save Candidate Config' only saves the pending candidate configuration to the running configuration, not a full backup; it does not produce an exportable file. Option C is wrong because 'show config running' outputs the running configuration as text to the CLI, which is not a structured XML backup and cannot be directly imported for restoration; it is intended for viewing, not backup and restore.

81
MCQeasy

A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?

A.Create a security policy rule that allows traffic from the internal zone to the external zone
B.Define a NAT policy to translate internal IPs to the external interface
C.Enable SSL decryption on the firewall
D.Configure a virtual wire between the internal and external interfaces
AnswerA

Security policies enforce inspection and control.

Why this answer

Option A is correct because in a Layer 3 firewall deployment with virtual wire subinterfaces, traffic inspection is governed by security policy rules. A rule allowing traffic from the internal zone to the external zone ensures that all outbound traffic is evaluated and inspected by the firewall, as security policies are the primary mechanism for controlling and logging traffic in Palo Alto Networks firewalls.

Exam trap

The trap here is that candidates often confuse NAT or decryption as the primary mechanism for traffic inspection, but in Palo Alto Networks firewalls, security policies are the fundamental control that enables inspection and logging of traffic.

How to eliminate wrong answers

Option B is wrong because NAT policies translate IP addresses but do not enable traffic inspection; inspection requires a security policy rule. Option C is wrong because SSL decryption is an additional feature for inspecting encrypted traffic, but it is not required to ensure all traffic is inspected; a security policy must still be in place. Option D is wrong because a virtual wire is a Layer 2 deployment method, not a Layer 3 mode; the question specifies Layer 3 mode with virtual wire subinterfaces, which are used for VLAN tagging, not for creating a virtual wire between interfaces.

82
MCQmedium

A security administrator manages a Palo Alto Networks firewall with multiple virtual systems (vsys). The firewall is configured to use Panorama for centralized management. The administrator notices that after committing a configuration change on Panorama, the firewall's vsys2 is not receiving the updated configuration. The firewall can reach Panorama, and other vsys are updated correctly. The administrator verifies that Panorama's device group hierarchy includes the firewall and that the vsys2 template stack is correctly assigned. What is the most likely cause of this issue?

A.The commit on Panorama failed for vsys2 due to a validation error.
B.The admin user does not have sufficient privileges to push configuration to vsys2.
C.The vsys2 is not included in the device group on Panorama.
D.The firewall's serial number is not registered correctly in Panorama for vsys2.
AnswerC

For Panorama to push configuration to a specific vsys, that vsys must be part of the device group. If vsys2 is omitted, it won't receive the update.

Why this answer

Option C is correct because Panorama pushes configuration to firewalls based on device group membership. If vsys2 is not included in the device group assigned to the firewall, Panorama will not push the updated configuration to that virtual system, even if the firewall itself is reachable and other vsys are updated. The administrator verified the template stack assignment, but the device group inclusion is a separate prerequisite for configuration delivery.

Exam trap

The trap here is that candidates often confuse device group membership with template stack assignment, assuming both are required for configuration push, but only device group membership controls policy delivery to specific vsys.

How to eliminate wrong answers

Option A is wrong because a commit failure on Panorama would typically generate an error message or log entry, and the administrator did not report any validation errors; also, other vsys updated successfully, indicating the commit succeeded globally. Option B is wrong because admin privileges in Panorama are role-based and apply to the entire firewall or device group, not per vsys; if the admin could push to other vsys, they have sufficient privileges. Option D is wrong because the firewall's serial number is registered at the firewall level, not per vsys; if the firewall can reach Panorama and other vsys are updated, the serial number registration is correct.

83
Multi-Selectmedium

A security administrator is configuring Panorama to manage multiple firewalls. Which two actions are required to ensure that a firewall receives its configuration from Panorama? (Choose two.)

Select 2 answers
A.Commit the Panorama configuration.
B.Create a local admin account on the firewall.
C.Add the firewall to a template stack.
D.Add the firewall to a device group.
E.Enable 'Panorama Managed' on the firewall.
AnswersC, E

Template stacks contain device settings applied to firewalls.

Why this answer

Option C is correct because a firewall must be added to a template stack to receive device-level settings (such as network interfaces and security zones) from Panorama. Template stacks allow hierarchical configuration of device-specific parameters, ensuring the firewall inherits the correct operational settings.

Exam trap

The trap here is that candidates often confuse device groups with template stacks, assuming that adding a firewall to a device group alone is sufficient to receive all configuration, but Panorama requires both a template stack for device-level settings and the 'Panorama Managed' flag to establish management connectivity.

84
MCQmedium

A company wants to centrally manage multiple firewalls using Panorama. They need to reduce management IP usage on the firewalls. Which Panorama deployment model best achieves this?

A.Use the firewall's default management mode with out-of-band management
B.Deploy firewalls in an Active/Active HA cluster
C.Configure a dedicated management subnet for each firewall
D.Use Panorama in 'panorama' mode with templates and device groups
AnswerD

This centralizes management and reduces individual management IP overhead.

Why this answer

Option D is correct because Panorama's 'panorama' mode with templates and device groups allows centralized management of multiple firewalls without requiring a dedicated management IP for each firewall. Instead, firewalls can share a single management interface or use in-band management, reducing IP address consumption. This model streamlines configuration and policy deployment while minimizing management IP overhead.

Exam trap

The trap here is that candidates may confuse 'reducing management IP usage' with 'reducing management traffic' or 'improving security,' leading them to choose out-of-band management (Option A) or dedicated subnets (Option C), which actually increase IP consumption rather than reduce it.

How to eliminate wrong answers

Option A is wrong because using the firewall's default management mode with out-of-band management still requires a dedicated management IP per firewall, which does not reduce IP usage. Option B is wrong because deploying firewalls in an Active/Active HA cluster does not reduce management IP usage; each firewall still needs its own management IP, and the cluster adds complexity without addressing IP conservation. Option C is wrong because configuring a dedicated management subnet for each firewall increases IP usage by requiring separate subnets and IPs, contrary to the goal of reducing management IP consumption.

85
MCQeasy

An administrator needs to perform a scheduled reboot of the firewall for maintenance. Which method provides the most control over the reboot timing?

A.Use the CLI command 'request restart system' with a scheduled time
B.Schedule a commit with the 'reboot at' option
C.Use the GUI 'Restart' button
D.Use the CLI command 'request shutdown system'
AnswerA

This allows scheduling the reboot.

Why this answer

The CLI command 'request restart system' with a scheduled time provides the most control because it allows you to specify an exact date and time for the reboot, ensuring the maintenance window is precisely managed without manual intervention. This method is designed for granular scheduling, unlike other options that either lack scheduling capability or are intended for different purposes.

Exam trap

The trap here is that candidates confuse the 'commit' command's configuration role with system operations, or assume the GUI 'Restart' button offers scheduling options when it does not, leading them to overlook the CLI's precise scheduling capability.

How to eliminate wrong answers

Option B is wrong because the 'commit' command is used to apply configuration changes, not to schedule a reboot; there is no 'reboot at' option within a commit operation. Option C is wrong because the GUI 'Restart' button initiates an immediate reboot without any scheduling capability, offering no control over timing. Option D is wrong because 'request shutdown system' is used to power off the firewall, not to reboot it, and it also lacks scheduling features.

86
Drag & Dropmedium

Drag and drop the steps to configure a GlobalProtect portal and gateway on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

GlobalProtect requires portal, gateway, security policy, assignment, and testing.

87
Multi-Selecteasy

Which TWO are best practices for securing management access to a Palo Alto firewall? (Select two)

Select 2 answers
A.Use HTTPS with self-signed certificates
B.Use SNMP v1 for monitoring
C.Use a dedicated management subnet
D.Disable ping on the management interface
E.Restrict management access to specific IP addresses
AnswersC, E

Segregates management traffic from production.

Why this answer

Option C is correct because using a dedicated management subnet (out-of-band management) isolates management traffic from production data traffic, reducing the attack surface and ensuring management access remains available even if the data plane is compromised. This is a foundational security best practice for any network device, including Palo Alto firewalls.

Exam trap

The trap here is that candidates often confuse 'disabling ping' (a minor, non-critical hardening step) with the core best practices of network segmentation and access control, leading them to select Option D instead of the more impactful Options C and E.

88
MCQhard

An administrator makes several changes to the firewall configuration and commits. However, after the commit, users report connectivity issues. The administrator wants to revert to the previous configuration quickly without losing the changes that were made earlier in the day but not yet committed. What should the administrator do?

A.Issue the 'revert to last known good configuration' command.
B.Use 'show configuration saved' and copy the previous config.
C.Use the 'commit revert' command to revert to before the problematic commit.
D.Reboot the firewall to load the previous running config.
AnswerC

Correct: This reverts the configuration to the previous state while keeping uncommitted changes in the candidate.

Why this answer

Option C is correct because the 'commit revert' command in Palo Alto Networks firewalls allows an administrator to revert to the previous committed configuration while preserving any uncommitted changes made after that commit. This is exactly the scenario described: the administrator needs to undo a problematic commit without losing the day's work that has not yet been committed.

Exam trap

The trap here is that candidates may confuse 'commit revert' with a simple rollback or reboot, not realizing that Palo Alto Networks specifically preserves uncommitted changes in the candidate configuration when using 'commit revert'.

How to eliminate wrong answers

Option A is wrong because 'revert to last known good configuration' is not a valid command in Palo Alto Networks; the correct mechanism is 'commit revert'. Option B is wrong because 'show configuration saved' displays the configuration that was saved to disk at the last commit, not the running configuration before the problematic commit, and manually copying it would not preserve uncommitted changes. Option D is wrong because rebooting the firewall loads the last committed configuration from disk, which would discard any uncommitted changes made earlier in the day.

89
MCQhard

Refer to the exhibit. What is the default gateway of the firewall?

A.10.0.0.1
B.ethernet1/1
C.10.0.0.0
D.0.0.0.0
AnswerA

The default route shows next hop 10.0.0.1.

Why this answer

The default gateway for a firewall is the IP address of the next-hop router that the firewall uses to reach networks not directly connected. In the exhibit, the route with destination 0.0.0.0/0 (the default route) points to next-hop 10.0.0.1, making 10.0.0.1 the default gateway. This is the standard behavior in PAN-OS: the default gateway is defined by the static default route, not by an interface IP.

Exam trap

Palo Alto Networks often tests the distinction between the default route's destination (0.0.0.0/0) and the next-hop IP address, causing candidates to mistakenly select 0.0.0.0 as the gateway.

How to eliminate wrong answers

Option B is wrong because ethernet1/1 is an interface name, not an IP address; the default gateway must be an IP address of a next-hop router. Option C is wrong because 10.0.0.0 is the network address of the subnet, not a usable host address for a gateway. Option D is wrong because 0.0.0.0 is the destination prefix for the default route, not the next-hop gateway address.

90
MCQeasy

Which of the following is NOT a valid method for upgrading PAN-OS software on a Palo Alto firewall?

A.Using an FTP server
B.Using the CLI
C.Using the Web GUI
D.Using Panorama
AnswerA

FTP is not supported for PAN-OS upgrade.

Why this answer

PAN-OS software upgrades on Palo Alto firewalls are supported via the CLI, the Web GUI, and Panorama. FTP is not a supported method because the firewall's upgrade mechanism relies on HTTP/HTTPS for downloading images from the Palo Alto Networks update server or a local web server; FTP protocol is not implemented in the upgrade process.

Exam trap

The trap here is that candidates may assume FTP is a valid method because it is a common file transfer protocol, but Palo Alto Networks explicitly does not support FTP for PAN-OS upgrades, only HTTP/HTTPS-based downloads.

How to eliminate wrong answers

Option B is wrong because the CLI is a valid upgrade method using commands like 'request system software upgrade'. Option C is wrong because the Web GUI provides a graphical interface under Device > Software to download and install updates. Option D is wrong because Panorama can push PAN-OS upgrades to managed firewalls via the 'Software' tab in the Device Group or Template context.

91
Multi-Selecteasy

An administrator wants to configure SNMP traps to send critical events from a firewall to a receiver at 192.168.1.100. Which TWO configuration objects must be created? (Choose two.)

Select 2 answers
A.Log forwarding profile
B.Email server profile
C.SNMP server profile for traps
D.Syslog server profile
E.SNMP manager object
AnswersA, C

Correct: Selects which logs generate traps.

Why this answer

Option A is correct because a Log Forwarding Profile on a Palo Alto Networks firewall is the configuration object that defines how logs and SNMP traps are sent to external receivers. It allows you to specify the SNMP trap receiver (e.g., 192.168.1.100) and the severity level (e.g., critical) for forwarding events. Option C is correct because an SNMP Server Profile for traps must be created to define the SNMP version, community string, and trap destination, which is then referenced by the Log Forwarding Profile.

Exam trap

The trap here is that candidates often confuse SNMP trap configuration with syslog or email profiles, or mistakenly think a single 'SNMP manager' object is sufficient, when Palo Alto Networks requires both a Log Forwarding Profile and an SNMP Server Profile to be created and linked.

92
MCQeasy

An administrator configured NTP servers as shown. After committing, the firewall's time is not synchronized. Which additional configuration is required?

A.Configure an authentication key
B.Set time zone manually
C.Enable NTP service under Device > Setup > Services
D.Specify a source interface for NTP
E.Restart NTP service
AnswerC

The NTP service must be enabled to allow synchronization.

Why this answer

Option C is correct because the NTP service must be explicitly enabled on the firewall under Device > Setup > Services before it will synchronize time with any configured NTP servers. Without enabling the NTP service, the firewall ignores the NTP server configuration entirely, even if the servers are reachable and correctly specified.

Exam trap

The trap here is that candidates assume simply configuring NTP server IP addresses under Device > Setup > NTP is sufficient, but Palo Alto Networks requires an explicit enable step under Device > Setup > Services to activate the NTP client service.

How to eliminate wrong answers

Option A is wrong because authentication keys are optional for NTP and are only required if the NTP servers enforce authentication; the question does not indicate that authentication is needed. Option B is wrong because setting the time zone manually is a separate configuration step that does not affect NTP synchronization; NTP synchronizes UTC time, and the time zone is applied afterward. Option D is wrong because specifying a source interface for NTP is optional and only needed when the firewall has multiple interfaces and you want to control which IP address is used for NTP packets; it is not a prerequisite for synchronization.

Option E is wrong because restarting the NTP service is unnecessary if the service has never been enabled; the service must first be turned on before it can be restarted.

93
MCQmedium

A company requires automatic daily backups of the firewall configuration. Which method should be used?

A.Backup the config using TFTP from the CLI
B.Schedule a configuration backup under Device > Setup > Operations
C.Write a script using the PAN-OS API to copy the running config
D.Use the 'Export Device State' feature manually
AnswerB

Scheduled configuration backups are built-in under Device > Setup > Operations.

Why this answer

Option B is correct because the PAN-OS web interface provides a built-in scheduler under Device > Setup > Operations that allows administrators to automate daily configuration backups without external scripts or manual intervention. This method is the simplest and most reliable way to ensure consistent backups, as it leverages the firewall's native scheduling capability.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing API scripting or manual export, failing to recognize that PAN-OS includes a native, straightforward scheduling mechanism for configuration backups that meets the requirement without additional complexity.

How to eliminate wrong answers

Option A is wrong because TFTP is not a secure protocol and is not recommended for automated daily backups; it also requires an external TFTP server and manual CLI commands, lacking native scheduling. Option C is wrong because writing a script using the PAN-OS API is a valid but unnecessarily complex method for a simple daily backup requirement, and it introduces potential scripting errors and maintenance overhead. Option D is wrong because the 'Export Device State' feature is a manual operation that requires administrator intervention each time, making it unsuitable for automatic daily backups.

94
Multi-Selecteasy

A network administrator needs to configure certificate-based authentication for administrative access to the firewall's web interface. Which two actions are required?

Select 2 answers
A.Generate a self-signed server certificate on the firewall.
B.Create a local user with a certificate profile.
C.Import a CRL from the issuing CA.
D.Import a CA-signed certificate for the firewall.
E.Assign the certificate to the HTTPS management interface.
AnswersD, E

A CA-signed certificate is needed for trusted HTTPS access.

Why this answer

For certificate-based authentication of administrative access to the firewall's web interface, you must import a CA-signed certificate for the firewall (Option D) because the browser must trust the certificate presented by the firewall during the TLS handshake. Additionally, you must assign that certificate to the HTTPS management interface (Option E) so the firewall uses it for TLS sessions on the management web interface.

Exam trap

The trap here is that candidates confuse server certificate configuration (for the firewall's web interface) with client certificate authentication (for user login), leading them to select options like creating a local user with a certificate profile instead of focusing on the server-side certificate assignment.

95
MCQmedium

A security administrator notices that a user's traffic is being blocked unexpectedly. The user's IP is 10.1.1.100, and the traffic is destined to a web server at 192.168.2.10. The administrator has already verified that there are no security rules explicitly denying the traffic. Which Log Viewer query should the administrator use to quickly identify the cause?

A.Search Traffic logs with filters for source 10.1.1.100 and destination 192.168.2.10
B.Search Threat logs for the destination IP
C.Search Config logs for any rule changes
D.Search System logs for the user's IP
AnswerA

Traffic logs show the action (allow/deny/drop) for each session, and filtering by IPs narrows down the specific session.

Why this answer

Traffic logs capture every session that passes through the firewall, including allowed and denied connections. By filtering for the specific source IP (10.1.1.100) and destination IP (192.168.2.10), the administrator can quickly see the exact session details, including the action taken (e.g., deny, drop) and the reason (e.g., no matching rule, application override). This is the most direct method to identify why traffic is being blocked when no explicit deny rule exists.

Exam trap

The trap here is that candidates may assume a block must be due to a threat or misconfiguration, leading them to check Threat or Config logs, but the correct approach is to examine Traffic logs where the firewall records all session dispositions, including implicit denials.

How to eliminate wrong answers

Option B is wrong because Threat logs record intrusion prevention system (IPS) and antivirus events, not basic traffic denials; a block due to missing rules would not appear there. Option C is wrong because Config logs track administrative changes to the firewall configuration, not real-time traffic decisions; they would not show why current traffic is blocked. Option D is wrong because System logs contain system-level events (e.g., reboots, license expirations) and do not include per-session traffic details; they cannot reveal why a specific flow is denied.

96
MCQeasy

Refer to the exhibit. A firewall administrator is reviewing a Panorama template configuration. What is the purpose of the 'profile' statement under the interface?

A.It applies a security rule.
B.It applies a QoS profile.
C.It applies a Zone Protection profile.
D.It applies an interface management profile.
AnswerD

Correct: The 'profile' under an interface refers to the management profile that defines allowed services (like ping, SSH).

Why this answer

The 'profile' statement under an interface in Panorama template configuration is used to apply an interface management profile. This profile controls which management services (e.g., HTTPS, SSH, SNMP, ping) are permitted on that interface, thereby securing administrative access. It does not apply security rules, QoS, or zone protection, which are configured elsewhere.

Exam trap

The trap here is that candidates often confuse the 'profile' statement with a security profile (like Anti-Virus or Vulnerability Protection) or a Zone Protection profile, but in the context of interface configuration, it specifically refers to the interface management profile that controls administrative access.

How to eliminate wrong answers

Option A is wrong because security rules are applied via Security policy rules in Panorama, not through an interface's 'profile' statement. Option B is wrong because QoS profiles are configured under the QoS policy or interface QoS settings, not via the 'profile' statement under the interface. Option C is wrong because Zone Protection profiles are applied to zones, not directly to interfaces; the 'profile' statement under the interface specifically refers to management access control.

97
Drag & Dropmedium

Drag and drop the steps to configure a security policy on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Security policies are configured by first defining zones, then addresses, then application/service, then action, and finally committing.

98
MCQmedium

Refer to the exhibit. What is the PAN-OS version running on the firewall?

A.10.2.0
B.10.1.0
C.9.1.0
D.10.0.0
AnswerA

The output clearly shows sw-version: 10.2.0.

Why this answer

The PAN-OS version is determined by the first two digits of the version string displayed in the CLI output (e.g., '10.2.0'). In the exhibit, the firewall shows '10.2.0', which corresponds to PAN-OS 10.2.0. This is the correct version because the CLI command 'show system info' or the GUI dashboard displays the exact software version installed.

Exam trap

The trap here is that candidates may confuse the major version (e.g., 10) with the full version string, overlooking the minor version digit (e.g., .2) and selecting a wrong but similar-sounding version like 10.0.0 or 10.1.0.

How to eliminate wrong answers

Option B (10.1.0) is wrong because the version string in the exhibit explicitly shows '10.2.0', not '10.1.0', which would indicate a different major release. Option C (9.1.0) is wrong because that version would display as '9.1.0' in the output, and the exhibit shows a higher major version (10.x). Option D (10.0.0) is wrong because the version string is '10.2.0', not '10.0.0'; the second digit (minor version) differs, indicating a different feature release.

99
MCQeasy

An administrator configures log forwarding to send traffic logs to a syslog server. After applying the log forwarding profile to the security policy, logs are not appearing at the syslog server. The administrator verifies that the syslog server is reachable from the firewall's management IP by using ping, and that the syslog service is running on the server. What is the most likely cause?

A.The security policy matching the traffic does not have logging enabled.
B.The firewall's data port IP is not used for logging.
C.The syslog server is not configured in the Server Profiles.
D.The log forwarding profile is not committed.
AnswerC

The server profile must exist before it can be referenced.

Why this answer

Option C is correct because log forwarding in Palo Alto Networks firewalls requires a syslog server profile to be configured under Device > Server Profiles > Syslog. Without this profile, the firewall has no destination address or port to send logs to, even if the syslog server is reachable via ping. The log forwarding profile references the server profile; if the server profile is missing or misconfigured, logs will not be forwarded.

Exam trap

The trap here is that candidates assume reachability (ping) and a running syslog service are sufficient, overlooking the mandatory server profile configuration that ties the log forwarding profile to an actual syslog destination.

How to eliminate wrong answers

Option A is wrong because the question states that the log forwarding profile was applied to the security policy, which implies logging is enabled at the policy level (logging at session end is a prerequisite for forwarding). Option B is wrong because log forwarding uses the firewall's management plane (management IP) by default, not the data port IP; the data port IP is irrelevant for syslog forwarding. Option D is wrong because the administrator applied the profile after configuring it, and the question does not mention any pending changes; if the profile were not committed, the firewall would typically show an uncommitted change indicator, but the core issue is the missing server profile, not a commit state.

100
MCQmedium

After a new zero-day exploit is discovered, a firewall must receive the latest threat prevention signature immediately. What is the most effective method to ensure the firewall gets the update as soon as it is released?

A.Subscribe to the WildFire cloud and rely on updates.
B.Set the content update schedule to check every minute.
C.Manually download the latest content from the support portal and upload via CLI.
D.Enable 'automatic download' for the threat prevention content and set the schedule to 'check now'.
AnswerD

Correct: This triggers an immediate download of the latest content.

Why this answer

Option D is correct because enabling 'automatic download' for threat prevention content and setting the schedule to 'check now' forces the firewall to immediately contact the update server (typically Palo Alto Networks' update portal) and download the latest signature package. This method leverages the built-in content update mechanism, which is designed to retrieve and install updates as soon as they are released, without waiting for a scheduled interval or manual intervention.

Exam trap

The trap here is that candidates often confuse WildFire cloud subscription (option A) with automatic content delivery, not realizing that WildFire generates signatures but the firewall must still be configured to download them via the content update mechanism.

How to eliminate wrong answers

Option A is wrong because subscribing to the WildFire cloud provides cloud-based analysis and signature generation, but it does not automatically push signatures to the firewall; the firewall must still be configured to download the content updates. Option B is wrong because setting the content update schedule to check every minute is not supported; the minimum check interval is typically 15 minutes, and even then, it only checks at that interval, not immediately upon release. Option C is wrong because manually downloading from the support portal and uploading via CLI is a reactive, time-consuming process that introduces delay and requires human intervention, making it unsuitable for immediate updates.

101
MCQmedium

A security analyst notices that a legitimate application is being incorrectly identified as a different application by the firewall. What is the best first step to resolve this issue?

A.Reboot the firewall to refresh the application cache
B.Disable the application override and use port-based rules
C.Verify the application signature in the App-ID database and submit a false-positive report if needed
D.Create a custom App-ID to override the incorrect identification
AnswerC

The correct first step is to check the current App-ID signature and report any false positives to Palo Alto Networks.

Why this answer

Option C is correct because the first step in resolving an application misidentification is to verify the application signature in the App-ID database. If the signature is incorrect or missing, submitting a false-positive report allows Palo Alto Networks to update the database, ensuring accurate identification without manual overrides. This aligns with the principle of using the built-in App-ID engine as the primary identification method.

Exam trap

The trap here is that candidates may think creating a custom App-ID is the quickest fix, but the exam emphasizes that the proper workflow is to first verify the database and report false positives, as custom overrides bypass the automated identification process and can lead to security gaps.

How to eliminate wrong answers

Option A is wrong because rebooting the firewall does not refresh the application cache in a way that fixes signature-based misidentification; the cache is rebuilt from the same App-ID database, so the error persists. Option B is wrong because disabling the application override and using port-based rules defeats the purpose of App-ID, reducing security by relying on port numbers that can be easily spoofed. Option D is wrong because creating a custom App-ID should be a last resort after verifying the database and submitting a false-positive report, as it adds administrative overhead and may not align with the official signature.

102
MCQmedium

An administrator notices that the firewall's time is incorrect. Based on the exhibit, what is the most likely cause?

A.DNS proxy is running
B.Management service is down
C.SNMP is running
D.Syslog is running
E.NTP service is stopped
AnswerE

NTP must be running for time sync.

Why this answer

The firewall's time is incorrect because the NTP service is stopped. NTP (Network Time Protocol) is responsible for synchronizing the system clock with an external time source. Without NTP, the firewall relies on its internal hardware clock, which can drift over time, leading to an incorrect time.

Exam trap

The trap here is that candidates may confuse services like DNS, SNMP, or Syslog with time synchronization, but only NTP directly manages the system clock.

How to eliminate wrong answers

Option A is wrong because DNS proxy resolves domain names to IP addresses and does not affect system time synchronization. Option B is wrong because the management service being down would prevent administrative access, but it does not directly cause time drift. Option C is wrong because SNMP is used for network monitoring and management, not for time synchronization.

Option D is wrong because Syslog is used for logging system events, not for setting or maintaining the system clock.

103
MCQhard

A company has two Palo Alto Networks firewalls in an active/passive HA pair (PA-5250) running PAN-OS 10.1. The HA configuration uses dedicated HA1 (control link) and HA2 (data link) interfaces. The network team recently replaced a failed switch that connected the HA1 interfaces. After the switch replacement, the HA pair is not forming. The administrator logs into the active firewall and runs 'show high-availability state' which shows the local state as 'active' and the peer state as 'unknown'. The HA1 interface status shows 'link down'. The administrator checks the physical connections and confirms the cables are connected and the switch ports are up. What is the most likely cause and the best course of action?

A.Ensure that the HA2 interfaces are also connected and configured correctly
B.Change the HA2 IP addresses to be on the same subnet as HA1
C.Enable HA ping on the HA1 interface to test connectivity
D.Verify that the HA1 interfaces are on the same VLAN and can ping each other using the configured HA1 IP addresses
AnswerD

HA1 interfaces must have layer 3 connectivity. A switch replacement may have changed VLAN assignments, breaking the link.

Why this answer

The correct answer is D because the HA1 interfaces must be on the same Layer 2 domain (VLAN) and able to communicate via ICMP to form the control link. The 'link down' status on the HA1 interface, despite physical connectivity, indicates a Layer 2 misconfiguration (e.g., VLAN mismatch or port mode issue) on the replaced switch. Verifying that the HA1 IP addresses can ping each other confirms Layer 3 reachability, which is essential for HA1 heartbeats and state synchronization.

Exam trap

The trap here is that candidates assume 'link down' always means a physical cable issue, but in PAN-OS HA, it can also indicate a Layer 2 misconfiguration on the switch (e.g., VLAN mismatch or port mode), and the correct first step is to verify Layer 2 and Layer 3 connectivity rather than checking HA2 or enabling nonexistent features.

How to eliminate wrong answers

Option A is wrong because the HA2 data link is not required for HA pair formation; HA1 alone handles control traffic and heartbeat, and the issue is specifically with HA1 being 'link down'. Option B is wrong because HA1 and HA2 IP addresses are intentionally on different subnets (HA1 for control, HA2 for data synchronization) and must not be on the same subnet; changing them would break the HA design. Option C is wrong because 'HA ping' is not a configurable feature on PAN-OS; the HA1 interface uses Layer 2 keepalives and Layer 3 heartbeats, and enabling ping is not a troubleshooting step—the administrator should verify Layer 2 connectivity and IP reachability directly.

104
MCQeasy

For a firewall to communicate with Panorama for centralized management, which requirement must be met?

A.Panorama must be reachable via the management interface
B.Both A and B are required
C.A service route must be configured for Panorama
D.A valid license for Panorama management is required
AnswerA

The firewall's management interface must have IP connectivity to Panorama.

Why this answer

For a firewall to communicate with Panorama for centralized management, the Panorama server must be reachable via the firewall's dedicated management interface (MGT). This is because the management interface is the default source for all management-plane traffic, including Panorama communications, unless explicitly overridden by a service route. Without reachability through this interface, the firewall cannot establish the required HTTPS or SSH connections to Panorama.

Exam trap

The trap here is that candidates often confuse the optional service route configuration as a mandatory requirement, or mistakenly think a special Panorama license is needed, when in fact the only fundamental requirement is IP reachability from the management interface.

How to eliminate wrong answers

Option B is wrong because it states 'Both A and B are required,' but option B itself is not a valid standalone requirement; the correct answer is only A. Option C is wrong because a service route is not a mandatory requirement for Panorama communication; it is an optional configuration used to redirect management traffic to a dataplane interface when the management interface is not suitable. Option D is wrong because no specific license is required for Panorama management; the firewall only needs a valid base license (e.g., for the firewall itself) and Panorama connectivity is a built-in capability.

105
MCQhard

Refer to the exhibit. An administrator runs 'show system resources' on a PA-500 firewall experiencing performance issues. Based on the output, what is the most likely cause?

A.Disk space on system partition critically low
B.High CPU usage on management plane
C.Memory exhaustion on dataplane
D.Logging partition full causing log write failures
AnswerD

Correct: A full logging partition can severely impact performance and log collection.

Why this answer

The 'show system resources' output on a PA-500 firewall indicates that the logging partition is full, which directly causes log write failures. This is a common performance issue because when the logging partition reaches capacity, the firewall cannot write new logs, leading to system instability and performance degradation. Option D is correct because the output explicitly shows the logging partition at 100% utilization.

Exam trap

The trap here is that candidates often focus on CPU or memory usage as the primary cause of performance issues, overlooking the critical impact of a full logging partition, which is a common and specific failure mode on Palo Alto firewalls.

How to eliminate wrong answers

Option A is wrong because the system partition (/) shows 24% usage, which is not critically low and would not cause immediate performance issues. Option B is wrong because the management plane CPU usage is at 12%, which is well within normal operating ranges and not indicative of high CPU load. Option C is wrong because memory exhaustion on the dataplane is not indicated; the output shows memory usage at 45%, which is not critically high, and the dataplane memory is separate from the management plane memory shown here.

106
MCQeasy

A company runs a pair of PA-5250 firewalls in active/passive HA controlling the production data center (10 Gbps traffic). The security team needs to upgrade from PAN-OS 10.0 to 10.2 to fix several critical CVEs. The team has a maintenance window of four hours. The lead engineer suggests performing the upgrade in the following order: 1. Download and install the upgrade on the passive firewall, 2. Commit after install, 3. Perform a non-disruptive failover to make the passive active, 4. Upgrade the new passive (former active), 5. Fail back to the original active. A junior engineer points out that the passive firewall takes 30 minutes to boot and join the HA pair after upgrade. The maintenance window is only four hours. What should the team do to ensure the upgrade completes within the window?

A.Upgrade both firewalls simultaneously during the window to save time.
B.Use the 'request high-availability sync-to-remote' command to speed up the upgrade.
C.Pre-stage the software download on both firewalls before the maintenance window begins.
D.Perform the upgrade as planned, but skip the final fail-back to save 15 minutes.
AnswerC

Pre-staging download saves significant time.

Why this answer

Option C is correct because pre-staging the software download on both firewalls before the maintenance window eliminates the time required for the download step, which can be significant over a WAN or slow management connection. This allows the team to focus the four-hour window solely on the installation, reboot, and HA synchronization steps, which are the time-critical components. Since the passive firewall takes 30 minutes to boot and join the HA pair, pre-staging ensures the download (which could take 30–60 minutes or more) does not consume valuable window time.

Exam trap

The trap here is that candidates assume the download step is negligible or can be performed during the window, but they fail to account for the cumulative time of downloads, reboots, and HA synchronization, which can easily exceed a four-hour window without pre-staging.

How to eliminate wrong answers

Option A is wrong because upgrading both firewalls simultaneously in an active/passive HA pair would cause a split-brain scenario or service disruption, as the active firewall would reboot during the upgrade, dropping all production traffic. Option B is wrong because the 'request high-availability sync-to-remote' command is used to synchronize configuration and session state from the active to the passive firewall, not to speed up the software upgrade process; it does not affect download or installation times. Option D is wrong because skipping the final fail-back does not save enough time (only 15 minutes) to compensate for the 30-minute boot time of the passive firewall, and the upgrade still requires the full sequence of steps including the second firewall’s installation and reboot, which would exceed the four-hour window.

107
MCQhard

During a firewall upgrade from PAN-OS 9.1 to 10.0, the administrator receives an error that the upgrade cannot proceed because there is a pending commit. The administrator checks the commit status and sees that a commit was initiated but has not completed. What is the best course of action?

A.Reboot the firewall to clear the pending commit
B.Run 'commit force yes' from the CLI to force the commit
C.Wait for the commit to complete automatically
D.Cancel the upgrade and restart
AnswerB

Forcing the commit will complete or abort the pending commit, clearing the block.

Why this answer

Option B is correct because the 'commit force yes' command overrides a stuck or incomplete commit by forcing the commit operation to proceed, which clears the pending commit state and allows the upgrade to continue. In PAN-OS, a pending commit blocks administrative operations like upgrades, and forcing the commit is the safest way to resolve this without disrupting the firewall's operational state.

Exam trap

The trap here is that candidates may assume a reboot is a safe generic fix for any stuck operation, but in PAN-OS, rebooting does not resolve a pending commit and can cause configuration corruption, whereas 'commit force yes' is the intended recovery command.

How to eliminate wrong answers

Option A is wrong because rebooting the firewall does not clear a pending commit; it may leave the configuration in an inconsistent state and could cause the firewall to boot with an incomplete commit, potentially leading to configuration loss or instability. Option C is wrong because if the commit has not completed and appears stuck, waiting indefinitely is not a reliable solution; the commit may be hung due to a system issue and will not complete automatically. Option D is wrong because canceling the upgrade and restarting does not address the underlying pending commit; the commit must be resolved first, and simply restarting the upgrade process will encounter the same error.

108
Matchingmedium

Match each Palo Alto Networks feature to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Threat Prevention

Decryption

User-ID

App-ID

Why these pairings

These features belong to different security categories.

109
Multi-Selecthard

Which THREE are required for Panorama to manage a firewall? (Select three)

Select 3 answers
A.A valid Panorama license
B.Panorama plugin installed on the firewall
C.Certificate-based mutual authentication (or pre-shared key)
D.Template and device group configuration in Panorama
E.Management IP reachability between Panorama and the firewall
AnswersC, D, E

Authentication is mandatory for secure communication.

Why this answer

Option C is correct because Panorama and managed firewalls must establish a secure, authenticated connection using either certificate-based mutual authentication or a pre-shared key. This ensures that only authorized firewalls can register with Panorama and receive configuration updates, preventing unauthorized devices from joining the management domain.

Exam trap

The trap here is that candidates often assume a Panorama license is required on the firewall itself, but the license is only needed on Panorama, not on the managed firewall.

110
MCQhard

A company purchases a new PA-410 firewall and installs it in a branch office. After configuring basic network settings, the administrator attempts to install the threat prevention license. The firewall is connected to the internet via a NAT device. The administrator registers the firewall with the Palo Alto Networks support portal using the serial number. The license is successfully added to the account. However, when checking the firewall's license status via the web interface, it shows 'Authentication Failed' for the license. The administrator can ping a well-known DNS server from the firewall's management IP. What is the most likely cause?

A.The license is not yet activated on the support portal.
B.The management interface is configured with the wrong DNS server.
C.The firewall cannot reach the Palo Alto Networks update server due to a firewall rule blocking HTTPS outbound.
D.The firewall's clock is not synchronized, causing authentication failure.
AnswerD

Time mismatch causes certificate validation failure.

Why this answer

The 'Authentication Failed' error for a license on a Palo Alto Networks firewall typically indicates a certificate or time-stamp validation issue. Since the firewall can reach the internet (pinging a DNS server works) and the license is already added to the support portal, the most likely cause is that the firewall's system clock is not synchronized. Palo Alto Networks license validation relies on accurate time to verify the certificate chain and license expiry; an unsynchronized clock causes the SSL/TLS handshake to fail, resulting in an authentication failure.

Exam trap

The trap here is that candidates assume 'Authentication Failed' means a credential or portal registration issue, but it actually points to a time synchronization problem, which is a subtle but critical dependency for certificate-based license validation.

How to eliminate wrong answers

Option A is wrong because the license was successfully added to the account on the support portal, so activation is not the issue. Option B is wrong because the administrator can ping a well-known DNS server, which confirms DNS resolution is working; a wrong DNS server would prevent name resolution, not cause an authentication failure. Option C is wrong because the firewall can ping a DNS server (which requires outbound traffic), and HTTPS outbound is typically allowed through a NAT device; a firewall rule blocking HTTPS would prevent all internet connectivity, not just license authentication.

111
MCQeasy

Which license is required for the firewall to use URL filtering?

A.DNS Security
B.GlobalProtect
C.URL Filtering
D.WildFire
E.Threat Prevention
AnswerC

Specifically licenses URL filtering capabilities.

Why this answer

URL filtering requires a dedicated URL Filtering license on Palo Alto Networks firewalls to enable the firewall to query the PAN-DB cloud or use a locally installed URL database for categorizing URLs. Without this license, the firewall cannot perform URL-based access control, even if other security subscriptions like Threat Prevention or WildFire are active.

Exam trap

The trap here is that candidates often assume Threat Prevention or WildFire includes URL filtering, but Palo Alto Networks separates these as distinct subscriptions, and only the URL Filtering license enables URL categorization and policy enforcement.

How to eliminate wrong answers

Option A is wrong because DNS Security is a separate subscription that provides protection against DNS-based threats, not URL categorization. Option B is wrong because GlobalProtect is a license for remote access VPN and mobile security, not for URL filtering. Option D is wrong because WildFire is a threat analysis service for unknown files and links, not for URL categorization.

Option E is wrong because Threat Prevention covers IPS, antivirus, and anti-spyware, but does not include URL filtering functionality.

112
MCQhard

Refer to the exhibit. A user at 10.1.1.50 is unable to connect to 192.168.1.100 on TCP port 443. The traffic log shows no entries for that source IP. Which security rule is expected to match this traffic?

A.Interzone-default
B.Intrazone-default
C.Rule 2 (Allow-HR)
D.Rule 1 (Allow-Sales)
AnswerD

Source and destination match, but the application (ssl) and service (tcp-443) do not match ms-sql/tcp-1433, so the rule does not allow the traffic.

Why this answer

Option D (Rule 1 – Allow-Sales) is correct because the user at 10.1.1.50 is in the Sales zone, and the destination 192.168.1.100 is in the Servers zone. The traffic log shows no entries, meaning the traffic is being matched and allowed by a rule before it can be logged. Rule 1 explicitly permits traffic from Sales to Servers on TCP port 443, so it matches this interzone traffic and allows it, generating a log entry only if logging is enabled on that rule.

Exam trap

Palo Alto Networks often tests the misconception that a missing log entry means the traffic is dropped by the default rule, but the trap here is that the traffic is actually matched and allowed by an earlier rule (Rule 1) that may have logging disabled, so no log entry appears.

How to eliminate wrong answers

Option A (Interzone-default) is wrong because the interzone-default rule is a catch-all deny rule that only matches traffic not matched by any explicit security rule; since Rule 1 matches this traffic, the interzone-default rule is never evaluated. Option B (Intrazone-default) is wrong because intrazone-default rules apply only to traffic within the same zone, but the source (10.1.1.50 in Sales) and destination (192.168.1.100 in Servers) are in different zones, making this an interzone flow. Option C (Rule 2 – Allow-HR) is wrong because Rule 2 is configured to allow traffic from the HR zone, not the Sales zone; the source IP 10.1.1.50 belongs to Sales, so Rule 2 does not match.

113
MCQeasy

Refer to the exhibit. What is the effect of this configuration?

A.The firewall allows ping traffic through all interfaces.
B.The management profile allows SSH access.
C.The firewall responds to pings on the management interface.
D.The firewall cannot ping others.
AnswerC

The 'allow-ping' profile enables ICMP responses on management.

Why this answer

The configuration shown is a management profile applied to an interface. The 'ping' service is enabled under the management profile, which allows the firewall to respond to ICMP echo requests (pings) on that specific interface. This does not permit transit ping traffic through the firewall, nor does it enable SSH or allow the firewall to initiate pings.

Therefore, option C is correct.

Exam trap

Palo Alto Networks often tests the confusion between management plane services (like ping to the firewall) and data plane transit traffic (like ping through the firewall), leading candidates to incorrectly assume a management profile affects traffic forwarding.

How to eliminate wrong answers

Option A is wrong because the management profile only controls services for the firewall's own interface, not transit traffic; ping traffic through the firewall requires a security policy rule, not a management profile. Option B is wrong because the management profile shown does not list SSH as an enabled service; only ping is enabled. Option D is wrong because the configuration does not restrict the firewall from initiating outbound pings; it only controls responses to pings received on that interface.

114
Drag & Dropmedium

Drag and drop the steps to perform a factory reset on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Factory reset requires backup, CLI access, reset command, confirmation, and reboot.

115
MCQhard

An administrator sees this log repeatedly. Which configuration change will allow 10.0.0.1 to access the management interface?

A.Enable HTTP on the management interface
B.Add 10.0.0.1 to the allowed IP list in the management profile
C.Disable management access restriction
D.Change the management interface to a different IP
E.Create a security policy allowing HTTP from 10.0.0.1
AnswerB

This will permit the IP to access the management interface.

Why this answer

The log indicates that the management interface is rejecting access attempts from 10.0.0.1 due to an IP-based access restriction. By adding 10.0.0.1 to the allowed IP list within the management profile, the administrator explicitly permits that host to reach the management interface, resolving the repeated denial.

Exam trap

The trap here is that candidates confuse data-plane security policies with management-plane access controls, assuming a security policy can permit management interface access when in fact only the management profile's allowed IP list governs such access.

How to eliminate wrong answers

Option A is wrong because enabling HTTP on the management interface does not bypass IP-based access controls; it only enables the service, but the source IP would still be blocked by the management profile. Option C is wrong because disabling management access restriction entirely would expose the interface to all IPs, which is a security risk and not the intended minimal change. Option D is wrong because changing the management interface IP does not affect the source IP restriction; 10.0.0.1 would still be denied unless its IP is added to the allowed list.

Option E is wrong because security policies control data-plane traffic, not management-plane access; management interface access is governed by management profiles, not firewall rules.

116
MCQhard

A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?

A.The HA2 link is down or misconfigured
B.The HA keepalive timer is misconfigured
C.The passive firewall has preemption enabled
D.The PAN-OS versions are different between the HA peers
AnswerD

HA peers must run the same PAN-OS version for sync.

Why this answer

PAN-OS requires both HA peers to run the same major version to synchronize configuration and state. The active firewall at PAN-OS 10.0 and the passive at 10.1 are incompatible, preventing HA synchronization. Even though the passive firewall was upgraded, the active firewall remains on the older version, breaking the HA session.

Exam trap

The trap here is that candidates may focus on connectivity or timer issues (options A or B) rather than recognizing that PAN-OS enforces strict version matching for HA synchronization, even if the passive firewall is upgraded correctly.

How to eliminate wrong answers

Option A is wrong because an HA2 link issue would cause a loss of heartbeat and configuration synchronization, but the question states the passive firewall fails to synchronize after an upgrade, not a link failure. Option B is wrong because the HA keepalive timer controls heartbeat intervals, not version compatibility; a misconfigured timer would cause flapping or timeout, not a persistent sync failure. Option C is wrong because preemption controls which firewall becomes active after a failure, not synchronization; it would not prevent the passive from syncing with the active.

← PreviousPage 2 of 2 · 116 questions total

Ready to test yourself?

Try a timed practice session using only Device Management and Services questions.