CCNA Core Concepts Questions

50 questions · Core Concepts · All types, answers revealed

1
MCQhard

A firewall administrator is troubleshooting a scenario where outbound HTTPS traffic to a specific website is being blocked. The security rule allows application 'ssl' and service 'application-default'. The URL Filtering profile blocks the category 'hacking'. The administrator confirms the destination URL falls under 'hacking' category. Which action should be taken to allow the traffic while maintaining security?

A.Change the service to TCP/443 and allow all applications
B.Remove the URL Filtering profile from the security rule
C.Add a new URL Filtering profile override rule that allows the specific URL and place it above the category block
D.Change the URL Filtering action for 'hacking' category to 'allow'
AnswerC

URL Filtering profiles support override rules to allow or block specific URLs with higher priority.

Why this answer

Option C is correct because placing an override rule for the specific URL above the category block rule allows fine-grained control. Option A is wrong because disabling URL Filtering altogether removes protection. Option B is wrong because changing action to 'allow' on the existing rule would allow all hacking sites.

Option D is wrong because using a different service does not bypass URL filtering.

2
MCQmedium

Users report that some internal services are not accessible when connected via VPN, but they work when on the local network. The firewall has a policy allowing all traffic from the VPN zone to the internal zone. What should the administrator check first?

A.Check if SSL decryption is breaking the traffic.
B.Check if there are NAT rules that affect the VPN zone traffic, such as missing reverse NAT.
C.Check if the zone protection profile is dropping traffic.
D.Check if the security policy rule order is correct.
AnswerB

Often, internal servers are behind NAT, and VPN traffic may require proper NAT rules to handle return traffic.

Why this answer

Option A is correct. NAT rules can cause issues if return traffic is not handled properly, especially if the destination NAT is only applied to a specific zone. Option B is wrong because the policy is already allowing traffic.

Option C is wrong because zone protection profiles are not likely to cause this selective issue. Option D is wrong because decryption is usually for outbound traffic, not internal service access.

3
MCQmedium

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

A.A DDoS attack is flooding the firewall with SYN packets.
B.An application on the internal network is not completing TCP handshakes.
C.The firewall's TCP timeout setting is too short.
D.The firewall's hardware is failing.
AnswerB

Half-open connections indicate incomplete handshakes, likely due to application failure.

Why this answer

A high number of half-open TCP connections indicates that SYN packets are received but the three-way handshake is never completed. Option B is correct because an internal application that fails to send the final ACK (or does not respond to SYN-ACK) leaves connections in a half-open state, consuming firewall resources and degrading performance.

Exam trap

The trap here is that candidates often associate high half-open connections exclusively with DDoS SYN floods, but the question specifically asks for a 'likely cause' given the context of a performance issue, and an internal application misbehavior is a common real-world scenario that does not require an attack.

How to eliminate wrong answers

Option A is wrong because a DDoS SYN flood would generate a massive volume of SYN packets, but the firewall's SYN flood protection mechanisms (e.g., SYN cookies, max-session limits) would typically mitigate this; the question describes an unusually high number of half-open connections, not necessarily a flood. Option C is wrong because a TCP timeout that is too short would cause connections to be torn down prematurely, reducing half-open counts, not increasing them. Option D is wrong because hardware failure would likely cause erratic behavior, packet loss, or complete outage, not a specific increase in half-open TCP connections.

4
MCQeasy

A network administrator is migrating from a legacy firewall to a new Palo Alto Networks firewall. The current firewall has a large number of ACL rules that allow traffic based on source/destination IP and port. The administrator wants to convert these rules to App-ID based policies on the Palo Alto firewall. What is the recommended best practice to ensure a smooth migration while maintaining security?

A.Use the Policy Optimizer feature in Panorama to analyze existing logs and generate App-ID based policy recommendations.
B.Deploy the Palo Alto firewall inline with no policies first, and let it learn the traffic patterns automatically for a week.
C.Create the same port-based rules on the Palo Alto firewall and then gradually enable App-ID in learning mode to see what applications are being used.
D.Convert all existing rules to App-ID by using the application default ports and immediately enforce application blocking.
AnswerC

This ensures no loss of connectivity and provides visibility into applications before switching to App-ID based policies, minimizing risk.

Why this answer

Option A is correct. The recommended approach is to first replicate the existing port-based rules on the Palo Alto firewall to preserve connectivity, then enable App-ID in learning mode (or log and learn) to observe actual applications. This allows the administrator to identify applications without disruption and then gradually create App-ID based policies.

Option B is risky as it leaves no policies, allowing all traffic. Option C could cause outages by enforcing App-ID immediately. Option D refers to Policy Optimizer, which is useful later but not the first step.

5
Multi-Selecteasy

Which THREE are default security profile groups in PAN-OS? (Choose three.)

Select 3 answers
A.Strict
B.Server
C.Alert
D.Custom
E.Best Practice
AnswersA, C, E

The 'Strict' group has more restrictive settings.

Why this answer

Options A, C, D are correct. These are predefined profile groups. Option B is wrong because 'Server' is not a default group; there is 'Strict' but not 'Server'.

Option E is wrong because 'Custom' is not a default group; custom groups are user-created.

6
MCQmedium

A network administrator is configuring a new security policy to allow specific inbound traffic to a web server. The policy must be as specific as possible to minimize risk. Which configuration approach is correct?

A.Create a security policy with source zone Untrust, destination zone DMZ, and service application-default.
B.Create a security policy with source any, destination DMZ, and service http.
C.Create a security policy with source zone Untrust, destination zone DMZ, and application web-browsing.
D.Create a security policy with source zone Untrust, destination zone DMZ, and service http.
AnswerC

Application web-browsing uses App-ID to ensure only HTTP/HTTPS traffic is allowed, regardless of port, providing more granular control.

Why this answer

Option C is correct. Using App-ID (application web-browsing) is more specific than port-based service, as it identifies the application regardless of port. Option A uses port-based service http, which could allow other applications on port 80.

Option B uses source any, which is too broad. Option D uses application-default, which is not a valid service object for policy configuration.

7
MCQeasy

A network administrator wants to allow FTP traffic from the internal network (zone: trust) to an external server (zone: untrust) while ensuring that the firewall can inspect the FTP control and data channels. Which security rule configuration is required?

A.Create a rule with service 'tcp-21' and application 'any'
B.Create a rule with application 'ftp' and disable Application Override
C.Create a rule with application 'ftp' and enable 'FTP Alg' in the Application Override settings
D.Create a rule with application 'ftp' and service 'application-default'
AnswerC

FTP ALG ensures the firewall can inspect FTP control and negotiate data channel inspection.

Why this answer

Option C is correct because FTP uses separate control (TCP 21) and data channels, and the firewall must inspect both to enforce security policies. Enabling 'FTP Alg' in the Application Override settings allows the Palo Alto Networks firewall to dynamically open pinholes for the data channel and perform deep inspection of FTP commands, ensuring proper stateful handling of active and passive modes.

Exam trap

The trap here is that candidates often assume simply setting the application to 'ftp' is sufficient, but they overlook the need to explicitly enable FTP Alg to handle the dynamic data channel negotiation required for full inspection.

How to eliminate wrong answers

Option A is wrong because using service 'tcp-21' with application 'any' only matches the control channel port and does not enable application-level inspection of FTP traffic, leaving the data channel unmonitored and potentially blocked. Option B is wrong because disabling Application Override with application 'ftp' would still rely on the default application decoder, but the question specifically requires enabling FTP Alg to handle the data channel; disabling Application Override does not achieve the necessary ALG functionality. Option D is wrong because using service 'application-default' with application 'ftp' relies on the default port-to-application mapping (TCP 21), but without explicit FTP Alg configuration, the firewall may not properly inspect the dynamic data channel ports, especially in passive FTP mode.

8
MCQhard

During a security audit, it is discovered that some traffic from the 'guest' zone to the 'untrust' zone is not being inspected by Threat Prevention profiles. The security rule that matches this traffic has a Threat Prevention profile applied. What is a likely reason for the lack of inspection?

A.The Threat Prevention profile is disabled on the rule
B.An earlier rule with action 'allow' is matching the traffic before reaching this rule
C.The traffic uses a service that is not supported by the Threat Prevention profile
D.The security rule action is set to 'deny'
AnswerB

If a higher-priority rule matches and allows traffic without a threat profile, the later rule's profile is not used.

Why this answer

Option D is correct because if the rule's action is 'allow', the threat profile is applied; but if the traffic matches an earlier rule with action 'allow' and no threat profile, the later rule's profile is not applied. Option A is wrong because if the profile is applied, it should be active. Option B is wrong because threat profiles apply to all sessions that match the rule, regardless of service.

Option C is wrong because the action 'deny' would block traffic entirely, not allow without inspection.

9
MCQhard

A multinational company has deployed a Palo Alto Networks firewall in a datacenter to provide internet access to employees in the corporate office and remote branches via IPsec VPN. The firewall is configured with multiple virtual routers, security zones (trust, untrust, dmz, vpn), and policies for application and URL filtering. Recently, users in the corporate office report that they cannot access a critical cloud-based CRM application (https://crm.company.com) from their workstations, while access from remote VPN users works fine. Other websites are accessible from the corporate office. The IT team has verified that DNS resolution is correct and that the CRM server responds to pings from the firewall's management IP. The security policy includes a rule from trust to untrust that allows application 'crm-base' and 'ssl' with URL category 'crm-sites'. The administrator has checked the traffic logs and sees that sessions are being denied with the reason 'application mismatch'. Which of the following is the most likely cause and correct course of action?

A.Update the application and threat signatures to the latest version, and verify that the application 'crm-base' correctly identifies the CRM traffic. If not, expand the policy to include a fallback application or use custom App-ID.
B.Enable SSL decryption to inspect the traffic and improve application identification.
C.Modify the security policy to allow application 'web-browsing' instead of 'crm-base' and 'ssl'.
D.Check that the destination address object for the CRM server is correct and includes the CDN IPs.
AnswerA

Keeping signatures updated ensures proper application identification. If the application is still not recognized, using a broader application (like 'ssl' with URL category) or creating a custom App-ID can resolve the mismatch.

Why this answer

Option D is correct. The application mismatch indicates the firewall is not identifying the traffic as the expected application. Likely the application signature needs to be updated or the policy should use a broader application.

Option A is wrong because decryption would not cause a mismatch; it would help identify applications. Option B is wrong because the policy is already allowing ssl; changing to web-browsing would be too broad and could bypass intent. Option C is wrong because the destination is correctly set; the issue is application identification.

10
MCQmedium

A network administrator notices that traffic from the internal zone to the external zone is being denied, even though a security policy allowing all outbound traffic exists. The internal zone is configured with a zone protection profile that has Flood Protection enabled. What is the most likely cause of the denial?

A.The security policy is set to deny due to an implicit deny rule.
B.The zone protection profile has Flood Protection thresholds set too low, causing legitimate traffic to be dropped.
C.The security policy has a logging profile attached that is blocking traffic.
D.The security policy has a schedule configured that is currently outside the allowed time.
AnswerB

Flood Protection thresholds can drop traffic that exceeds defined limits, even if the traffic is legitimate.

Why this answer

Option A is correct because the zone protection profile's Flood Protection can erroneously block legitimate traffic if threshold values are too low. Option B is wrong because logging profiles do not affect traffic flow. Option C is wrong because schedule settings would either allow or deny traffic at certain times, but the policy is set to allow always.

Option D is wrong because the zone protection profile with Flood Protection is the most likely cause, not the security policy itself.

11
Multi-Selectmedium

A security administrator is reviewing best practices for creating security policies on a Palo Alto Networks firewall. Which two of the following are recommended practices?

Select 2 answers
A.Use security policy tags to group rules.
B.Use the 'any' zone for source and destination to reduce rule count.
C.Disable logging on rules that permit traffic to reduce log volume.
D.Use security profile groups to apply multiple profiles.
E.Place more specific rules at the top of the rulebase.
AnswersD, E

Security profile groups simplify management by applying a consistent set of threat prevention profiles across multiple rules, ensuring effective security coverage.

Why this answer

Security profile groups allow administrators to bundle multiple security profiles (e.g., antivirus, anti-spyware, vulnerability protection, URL filtering) into a single object. This simplifies policy management, ensures consistent enforcement, and reduces the risk of misconfiguration by applying a predefined set of protections to a rule.

Exam trap

The trap here is that candidates often confuse security policy tags (which are metadata for filtering/reporting) with actual rule grouping mechanisms, or they mistakenly think disabling logging on permit rules is a valid optimization technique, when in fact it violates best practices for auditability and threat detection.

12
MCQmedium

A security administrator notices that traffic from a specific subnet is not being logged in the Traffic logs, although the traffic is allowed by a security policy rule. Which configuration setting should be verified?

A.Zone Protection profile is set to 'Log at Session Start'
B.The Log Forwarding profile is not applied
C.The rule has 'Log at Session End' disabled
D.Disable Server Response Inspection on the rule
AnswerC

If 'Log at Session End' is not checked, traffic matching the rule will not be logged.

Why this answer

Option C is correct because the 'Log at Session End' setting on a security policy rule controls whether traffic matching that rule generates a Traffic log entry when the session closes. If this setting is disabled, the firewall will allow the traffic per the rule but will not record it in the Traffic logs, which matches the scenario where traffic is permitted but not logged.

Exam trap

The trap here is that candidates often confuse Log Forwarding profiles with the actual logging toggle on the rule, assuming that applying a forwarding profile is required for logging to occur, when in fact the rule's own 'Log at Session End' setting is the primary control for local Traffic log generation.

How to eliminate wrong answers

Option A is wrong because Zone Protection profiles are applied to zones, not individual rules, and their 'Log at Session Start' setting logs session initiation events, not the traffic flow itself; disabling it would not prevent Traffic logs from being generated by the rule. Option B is wrong because a Log Forwarding profile is used to send logs to external systems (e.g., Panorama, syslog), not to enable or disable logging on the rule itself; traffic will still be logged locally even without a forwarding profile. Option D is wrong because Disable Server Response Inspection affects how the firewall handles server responses (e.g., for decryption or threat prevention), not whether traffic is logged; it has no impact on Traffic log generation.

13
MCQeasy

Refer to the exhibit. An administrator notices that SSH traffic from the trust zone to the untrust zone is being blocked. The administrator expected it to be allowed by rule 2. What is the most likely reason?

A.Rule 2's application is set to 'ssh' but the service is not 'application-default'
B.Rule 1 matches the traffic and is evaluated before rule 2
C.Rule 1 is configured with action 'allow'
D.Rule 2's source zone is incorrectly set to 'dmz'
AnswerB

Since rule 1 has 'any' zones and is higher priority, it blocks SSH before rule 2 is reached.

Why this answer

Option A is correct because rule 1 has source and destination zones 'any' and matches all SSH traffic, and it is placed before rule 2. Option B is wrong because the action of rule 1 is deny, not allow. Option C is wrong because the rule explicitly denies SSH.

Option D is wrong because the rule 2 does allow SSH but never gets evaluated due to rule 1.

14
MCQmedium

Refer to the exhibit. A user in the trust zone attempts to access https://www.example.com. The traffic matches rule 2 first. What is the expected behavior?

A.The traffic is allowed due to the implicit allow at the end.
B.The traffic is denied because of rule 2.
C.The traffic is allowed because rule 3 allows web-browsing.
D.The traffic is allowed because no explicit deny is configured.
AnswerB

Rule 2 matches SSL application and has a deny action.

Why this answer

Option B is correct. HTTPS traffic is identified as application ssl, which matches rule 2 (deny). Since rule 2 has no schedule, it matches immediately, and the traffic is denied.

Rule 3 (allow for web-browsing) is not evaluated because rule 2 matched first. Option A is wrong because rule 2 matches. Option C is wrong because there is a deny rule.

Option D is wrong because the session is not allowed; it is denied.

15
MCQhard

Refer to the exhibit. A user at IP 10.1.1.5 on the untrust zone is trying to access a server on the trust zone. The traffic is being blocked by a default deny rule instead of being allowed by rule1. What is the most likely reason?

A.The rule's destination is set to 'any' which is too broad.
B.The rule does not specify any application or service.
C.The rule uses negation on the source address.
D.The rule has not been committed.
AnswerC

The 'negate-source yes' directive means the rule applies to all sources except the specified range 10.1.1.0/24. Since 10.1.1.5 falls in that range, the rule does not match, and traffic hits the default deny rule.

Why this answer

Option C is correct because when a rule uses negation on the source address (e.g., 'not 10.1.1.5'), the firewall treats the source as 'any IP except 10.1.1.5'. This means traffic from 10.1.1.5 will not match the rule, causing it to fall through to the default deny rule. Negation in Palo Alto Networks policies explicitly excludes the specified address from matching, which is a common misconfiguration.

Exam trap

The trap here is that candidates often confuse negation with a simple 'not' operator, thinking it will allow all traffic except the specified IP, but they overlook that the negated address itself is excluded from matching, causing traffic from that IP to hit the default deny rule.

How to eliminate wrong answers

Option A is wrong because setting the destination to 'any' is not too broad; it would actually make the rule more permissive and would not cause the traffic to be blocked unless other conditions fail. Option B is wrong because a rule without any application or service specified defaults to 'any' application/service, which would allow the traffic if other conditions match. Option D is wrong because an uncommitted rule would not appear in the running configuration at all, so it would not cause a match failure; the traffic would simply be evaluated against committed rules, not an uncommitted one.

16
Multi-Selectmedium

Which TWO of the following are key benefits of using an Application-Based Security Policy compared to a Port-Based Security Policy? (Choose TWO.)

Select 2 answers
A.Simpler configuration for traditional protocols like HTTP and FTP
B.Ability to control applications regardless of port or protocol evasion
C.Easier to allow applications that use dynamic ports
D.Ability to log and report on application usage for compliance
E.Increased throughput because firewall does not need to inspect ports
AnswersB, D

Application-based policies can identify applications even if they use non-standard ports.

Why this answer

Options B and E are correct: Application-based policies allow control regardless of port, and they enable visibility into application usage. Option A is wrong because simpler configuration is not necessarily a benefit; port-based can be simpler. Option C is wrong because application-based policies do not inherently improve throughput.

Option D is wrong because dynamic port applications are better handled by App-ID, not static port rules.

17
MCQhard

An organization is experiencing high CPU utilization on the firewall dataplane, causing latency in packet processing. The administrator notices that a large number of small packets are being processed by a specific security rule that allows any service. What is the best first step to reduce CPU load without impacting legitimate traffic?

A.Remove the rule and create a more specific rule with a narrower service
B.Apply a DoS protection profile with a session rate threshold
C.Create a QoS policy to limit bandwidth for that traffic class
D.Increase the session timeout to avoid creating new sessions
AnswerC

QoS can throttle the amount of traffic processed, reducing CPU utilization while still allowing legitimate traffic.

Why this answer

Option C is correct because applying a QoS policy to limit bandwidth for the traffic class causing high CPU utilization will throttle the rate at which small packets are processed, reducing the dataplane load without dropping legitimate traffic. QoS allows the firewall to prioritize or rate-limit specific traffic classes, which directly addresses the high volume of small packets without altering security rules or session behavior.

Exam trap

The trap here is that candidates often confuse QoS with DoS protection, thinking that rate-limiting or blocking is the same as shaping, but QoS is designed to manage bandwidth without dropping traffic, whereas DoS protection thresholds can inadvertently drop legitimate traffic if not carefully tuned.

How to eliminate wrong answers

Option A is wrong because removing the rule and creating a more specific rule with a narrower service would not reduce the CPU load from the existing high volume of small packets; it only changes the rule match criteria, not the packet processing rate. Option B is wrong because a DoS protection profile with a session rate threshold is designed to block or rate-limit traffic that exceeds a threshold, which could drop legitimate traffic if the threshold is set too low, and it does not specifically address the high CPU from small packets in a rule that allows any service. Option D is wrong because increasing the session timeout would keep sessions open longer, potentially increasing the number of concurrent sessions and worsening CPU utilization, not reducing it.

18
MCQeasy

A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?

A.Create a new Security policy rule with an Application ID that blocks social-media applications.
B.Create a new Security policy rule with a URL Filtering profile that blocks the social-media category.
C.Add a Custom Signature to the existing rule to block social media traffic.
D.Modify the existing web browsing rule to deny social media destinations.
AnswerB

URL Filtering directly blocks access by category.

Why this answer

Option B is correct because URL Filtering profiles are specifically designed to block entire categories of websites (like social media) based on URL categorization, which is the most efficient method for blocking access to social media sites. This approach leverages Palo Alto Networks' URL Filtering database, which categorizes millions of URLs, allowing the administrator to block the entire 'social-media' category with a single policy rule without needing to identify individual applications or destinations.

Exam trap

The trap here is that candidates often confuse Application ID (which blocks the application itself, like Facebook app) with URL Filtering (which blocks the website category), leading them to choose Option A, but URL Filtering is the correct and more efficient method for blocking entire categories of websites based on URL categorization.

How to eliminate wrong answers

Option A is wrong because Application ID identifies the application itself (e.g., Facebook, Twitter) regardless of port or protocol, but it is less efficient for blocking all social media websites since it requires identifying and adding each specific social media application, and some social media sites may use web browsing traffic that is not easily identified by App-ID alone. Option C is wrong because Custom Signatures are used to detect and block specific threats or custom traffic patterns (e.g., exploit payloads), not to block entire categories of websites like social media; this would be overly complex and inefficient. Option D is wrong because modifying the existing web browsing rule to deny social media destinations would require manually listing all social media URLs or IP addresses, which is impractical and not scalable, and it would break the existing allow rule for general web browsing.

19
MCQeasy

A company wants to ensure that all internet-bound HTTP traffic is decrypted for inspection before being forwarded to the next-generation firewall for policy enforcement. Which deployment method should be used?

A.Virtual wire mode with SSL Forward Proxy
B.Explicit proxy with SSL Forward Proxy decryption
C.Transparent proxy with a forward trust certificate
D.Layer 3 mode with a policy-based forwarding rule
AnswerB

Explicit proxy mode lets the firewall act as a forward proxy and perform SSL decryption for inspection.

Why this answer

B is correct because an explicit proxy deployment requires clients to be configured to send HTTP traffic to the firewall's proxy IP, which allows the firewall to terminate the client connection, perform SSL Forward Proxy decryption using a forward trust certificate, and then re-encrypt the traffic for inspection before forwarding it to the next-generation firewall for policy enforcement. This method ensures that all internet-bound HTTP traffic is decrypted for inspection, as the firewall acts as an intermediary between the client and the destination server.

Exam trap

Palo Alto Networks often tests the misconception that transparent proxy or virtual wire mode can perform SSL decryption without explicit client configuration, but the trap here is that only explicit proxy with SSL Forward Proxy decryption guarantees the firewall can terminate and decrypt all HTTP traffic as an intermediary, whereas other modes require additional configuration or lack the ability to act as a proxy endpoint.

How to eliminate wrong answers

Option A is wrong because virtual wire mode operates as a transparent Layer 2 bump-in-the-wire without IP addressing, making it unable to terminate SSL sessions or perform SSL Forward Proxy decryption, which requires the firewall to act as an endpoint for the client connection. Option C is wrong because transparent proxy mode, while capable of intercepting traffic without client configuration, requires a forward trust certificate to be deployed to clients to avoid certificate errors, but the question specifies that the traffic must be decrypted for inspection before being forwarded to the firewall, and transparent proxy alone does not inherently ensure decryption without additional configuration; however, the key flaw is that transparent proxy does not require explicit client configuration, but the question's requirement for 'all internet-bound HTTP traffic' to be decrypted is best met by explicit proxy where the firewall can enforce decryption policies on all traffic sent to its proxy IP. Option D is wrong because Layer 3 mode with a policy-based forwarding rule redirects traffic based on routing policies but does not inherently perform SSL decryption; it requires additional decryption policies to be configured, and the traffic is forwarded to the firewall for policy enforcement without guaranteed decryption of all HTTP traffic.

20
Multi-Selecthard

Which THREE of the following actions are valid actions for a security policy rule on a Palo Alto Networks firewall? (Choose THREE.)

Select 3 answers
A.Deny
B.Log
C.Reset
D.Drop
E.Allow
AnswersA, D, E

Deny blocks the traffic and sends a TCP reset or ICMP unreachable.

Why this answer

Options A, C, and E are correct: Allow, Deny, and Drop are valid actions. Option B is wrong, 'Reset' is not a valid action; instead, there is 'Reset-Client' and 'Reset-Server'. Option D is wrong, 'Log' is not an action; logging is configured separately within a rule.

21
MCQeasy

A company uses Active Directory for user authentication. They want to enforce security policies based on user identity. What is the required first step to enable User-ID on the Palo Alto Networks firewall?

A.Add an LDAP server profile to authenticate users.
B.Deploy GlobalProtect agents on all endpoints.
C.Configure a server monitoring profile to connect to the domain controller.
D.Enable captive portal on the internal zone.
AnswerC

The firewall polls the domain controller to collect user logon events and map users to IP addresses.

Why this answer

Option A is correct. The first step is to configure the firewall to communicate with the domain controller to gather user-to-IP mappings. Option B is wrong because LDAP is used for retrieval of user attributes, not for mapping.

Option C is wrong because GlobalProtect is a client-based solution for remote users, not for internal AD integration. Option D is wrong because Captive Portal is another method but not the first step for AD integration.

22
Multi-Selecteasy

A security administrator is troubleshooting an issue where users cannot access a specific website. The security policy allows web-browsing from the internal zone to the external zone. Which TWO actions should the administrator take to verify the traffic is being matched and allowed?

Select 2 answers
A.Review the system resources to check CPU usage.
B.Verify that the policy has the correct source zone.
C.Check the traffic log for the session.
D.Look at the Threat log for any malware detections.
E.Examine the URL filtering profile applied to the policy.
AnswersB, C

If the source zone is incorrect, the policy may not match, and traffic could be blocked by implicit deny; verifying the zone ensures the policy applies to the intended traffic.

Why this answer

Options A and C are correct. Checking the traffic log shows whether the session matched a security policy. Verifying the source zone ensures the policy is applied to the correct zone.

Option B is not directly about policy matching; URL filtering is a separate feature. Option D is about threats, not allowed traffic. Option E is unrelated to policy matching.

23
Multi-Selecthard

Which THREE actions can improve firewall performance by reducing CPU load? (Choose three.)

Select 3 answers
A.Enable hardware acceleration for packet processing
B.Use reactive policy updates via API
C.Reduce log verbosity for allowed traffic
D.Disable unused security profiles
E.Enable SSL decryption for all traffic
AnswersA, C, D

Hardware acceleration offloads processing to specialized chips, reducing CPU load.

Why this answer

Options B, D, E are correct. Disabling unused features frees up resources. Enabling hardware acceleration offloads processing.

Reducing logging volume lowers I/O. Option A is wrong because enabling SSL decryption increases CPU load. Option C is wrong because using reactive policies (e.g., dynamic updates) adds overhead.

24
Multi-Selectmedium

Which TWO are valid methods for authenticating administrative users on Palo Alto Networks firewalls? (Choose two.)

Select 2 answers
A.Local authentication using local user database
B.RADIUS
C.TACACS
D.SAML
E.LDAP
AnswersA, B

The firewall has a built-in local database for administrator accounts.

Why this answer

Options A and C are correct. The firewall supports local authentication and RADIUS. Option B is wrong because TACACS is not supported (TACACS+ is, but not TACACS).

Option D is wrong because LDAP is used for directory services, not authentication directly (though it can be used for captive portal, but not admin auth). Option E is wrong because SAML is supported for SSO but not typically as a direct admin authentication method.

25
MCQhard

A security administrator is troubleshooting a site-to-site IPsec VPN between two Palo Alto Networks firewalls. The Phase 1 proposal includes AES-256, SHA-256, and DH Group 14 with a lifetime of 28800 seconds. The Phase 2 proposal includes AES-256, SHA-256, and PFS with DH Group 14. The tunnel is established and traffic is flowing, but intermittently the tunnel drops and re-establishes. The logs show the following error: 'Phase 2 negotiation failed because no suitable proposal found.' Both firewalls have identical IKE gateway and IPsec crypto profile configurations. Which option is the most likely cause of this issue?

A.The DH group used in Phase 2 is not supported by the firewall model.
B.The IPsec SA lifetime is not configured on one of the firewalls, causing a mismatch.
C.The Phase 2 proposal uses a different DH group than Phase 1.
D.The Phase 1 lifetime is shorter than the Phase 2 lifetime.
AnswerB

Correct: If the IPsec SA lifetime is not explicitly set, the firewall uses a default value that may differ from the peer's configured value, leading to proposal mismatch.

Why this answer

The error 'Phase 2 negotiation failed because no suitable proposal found' indicates a mismatch in the IPsec SA parameters. Even though both firewalls have identical IKE gateway and IPsec crypto profile configurations, if one firewall has an IPsec SA lifetime configured (e.g., 3600 seconds) and the other does not (defaulting to a different value, such as 10800 seconds), the lifetimes will not match, causing intermittent rekey failures. This is the most likely cause because the tunnel initially establishes but drops when rekeying occurs due to the lifetime mismatch.

Exam trap

The trap here is that candidates assume identical IKE gateway and IPsec crypto profile configurations guarantee matching proposals, but they overlook that the IPsec SA lifetime is a separate parameter that must be explicitly set to the same value on both peers, and a default value mismatch is a common cause of intermittent rekey failures.

How to eliminate wrong answers

Option A is wrong because DH Group 14 is widely supported on Palo Alto Networks firewalls, and the question states the tunnel establishes initially, proving the DH group is supported. Option C is wrong because using a different DH group in Phase 2 than Phase 1 is allowed (PFS uses its own DH group), and the error specifically mentions 'no suitable proposal found' for Phase 2, not a DH group mismatch between phases. Option D is wrong because Phase 1 and Phase 2 lifetimes are independent; a shorter Phase 1 lifetime does not cause Phase 2 negotiation failures—Phase 2 rekeys independently of Phase 1 lifetime expiration.

26
Matchingmedium

Match each log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Records session information

Records blocked attacks

Records web browsing activity

Records files sent for analysis

Why these pairings

These are standard log types in PAN-OS.

27
MCQhard

Refer to the exhibit. A packet arrives with source IP 192.168.1.10, destination IP 203.0.113.10, destination port 80, from zone trust. After this NAT rule is applied, what will be the destination IP and port of the packet?

A.Destination IP 10.0.0.5, Destination port 80, Source IP changed to firewall IP
B.Destination IP 203.0.113.10, Destination port 8080
C.Destination IP 203.0.113.10, Destination port 80, Source port changed to 5000
D.Destination IP 10.0.0.5, Destination port 80
AnswerD

The destination NAT translates the destination address and keeps the port as 80.

Why this answer

Option C is correct. The destination NAT rule translates the destination IP from 203.0.113.10 to 10.0.0.5, and the destination port remains 80 (as specified). Option A is wrong because source IP is not changed by this rule (no source NAT configured).

Option B is wrong because the port changes to 8080 is not configured. Option D is wrong because the source port is not modified.

28
MCQmedium

A firewall administrator needs to generate a report that shows the top applications consuming bandwidth over the last week. Which Palo Alto Networks tool should be used?

A.Predefined reports.
B.Traffic log viewer.
C.Application Command Center (ACC).
D.Packet capture (PCAP).
AnswerC

ACC provides an intuitive dashboard with application breakdowns and top usage.

Why this answer

Option C is correct. The ACC (Application Command Center) provides a visual overview of application usage and can filter by time. Option A is wrong because the log viewer shows raw logs, not aggregated reports.

Option B is wrong because predefined reports are scheduled, not interactive. Option D is wrong because packet capture is for troubleshooting individual flows.

29
MCQmedium

An organization uses a Palo Alto Networks firewall to segment its network into three zones: Corp (10.0.1.0/24), Guest (10.0.2.0/24), and Mgmt (10.0.3.0/24). The firewall is running PAN-OS 10.0. The administrator wants to ensure that only devices from the Corp zone can access the management interface of the firewall via SSH from the internal network. The management interface is physically connected to the Mgmt network, and its IP is 10.0.3.1/24. A security policy must be configured to permit this access. Which approach should the administrator take?

A.Create a policy with source zone Corp, destination zone Mgmt, and service SSH. Ensure that the management interface is included as a destination in the policy.
B.Use the built-in admin access control list in firewall settings to permit SSH from Corp subnet, and disable all other management protocols.
C.Create a security policy with source zone Corp, destination zone Mgmt, and application SSH, and also create a static route to the Mgmt network.
D.Configure an interface management profile on the Mgmt interface that allows SSH only from the Corp subnet (10.0.1.0/24), and apply it to the management interface.
AnswerD

Interface Management Profiles control which services and source IPs can access the firewall's management plane on a per-interface basis; this is the correct method.

Why this answer

Option B is correct. Management access to the firewall's control plane is controlled by Interface Management Profiles, not security policies. Security policies govern data plane traffic that passes through the firewall, not traffic destined to the firewall itself.

Therefore, the correct method is to configure an Interface Management Profile on the Mgmt interface that permits SSH only from the Corp subnet. Option A incorrectly uses a security policy. Option C also misapplies security policy.

Option D describes an alternative method (Management Access List), but Interface Management Profiles are the standard and more flexible approach, and the question specifically asks for the correct one in this context.

30
MCQmedium

Refer to the exhibit. Based on the session information, which type of NAT is being performed?

A.No NAT is being performed
B.Source NAT
C.Port Address Translation (PAT)
D.Destination NAT
AnswerB

The source address is translated from 10.1.1.100 to 192.168.1.100, which is source NAT.

Why this answer

Option A is correct because the source IP is translated from a private IP to a public IP, indicating source NAT (SNAT). Option B is wrong because destination NAT would show a change in destination IP. Option C is wrong because no port information is shown to indicate PAT specifically; the term 'source NAT' encompasses address translation.

Option D is wrong because no IPs are being hidden in the sense of typical network terminology.

31
Multi-Selecthard

Which THREE actions can a Security policy rule perform on traffic?

Select 3 answers
A.Drop
B.Reset
C.Deny
D.Block
E.Allow
AnswersA, C, E

Correct: Drop silently discards the packet.

Why this answer

A Security policy rule in Palo Alto Networks firewalls can explicitly drop traffic, which silently discards the packet without sending any notification to the source. This is a valid action for blocking unwanted traffic while minimizing network overhead and avoiding unnecessary responses.

Exam trap

The trap here is that candidates often confuse 'Deny' and 'Drop' as the same action, but Palo Alto Networks distinguishes them by whether a reset or unreachable message is sent, and 'Block' is not a valid Security policy rule action at all.

32
MCQmedium

An administrator configures a security policy rule to block traffic from IP address 10.1.1.1 to 10.2.2.2 on any service. However, traffic from 10.1.1.1 to 10.2.2.2 is still passing through the firewall. After checking all rules, what is the most likely cause?

A.The rule is placed after an allow rule that matches the traffic
B.The source and destination zones are set to 'any'
C.There is an implicit allow rule that overrides the block rule
D.The rule is configured in the PBF rulebase instead of the Security rulebase
AnswerD

Policy-Based Forwarding rules do not enforce security; they only redirect traffic. If the rule was accidentally placed in PBF, it would not block.

Why this answer

Policy-Based Forwarding (PBF) rules are evaluated before security rules and can override security policy decisions. If the traffic matches a PBF rule, it may be forwarded without being subject to the security rulebase, even if a security rule explicitly blocks it. This is the most likely cause because the administrator configured the block in the wrong rulebase.

Exam trap

The trap here is that candidates often assume all traffic filtering is done in the security rulebase and overlook the existence and precedence of the PBF rulebase, which can cause traffic to bypass security rules entirely.

How to eliminate wrong answers

Option A is wrong because security rules are evaluated in order from top to bottom, and a block rule placed after an allow rule that matches the same traffic would still be evaluated; however, the first matching rule (the allow rule) would permit the traffic, so the block rule would never be reached. Option B is wrong because setting source and destination zones to 'any' does not prevent a block rule from matching; it actually broadens the rule's scope and would still block traffic if it were in the correct rulebase. Option C is wrong because there is no implicit allow rule in Palo Alto Networks firewalls; the default action is to deny traffic that does not match any security rule, so an implicit allow does not exist.

33
MCQhard

An organization is deploying a Palo Alto Networks firewall in a data center with multiple virtual routers. The network team wants to ensure that traffic between two different virtual routers can be inspected by the firewall. Which configuration is required?

A.Install a virtual wire between the virtual routers.
B.Add static routes for the remote subnets in each virtual router.
C.Configure a default route in each virtual router pointing to the other.
D.Create a Security policy rule that allows traffic between the virtual routers.
AnswerD

Inter-virtual-router traffic must be permitted by Security policy to be inspected.

Why this answer

Option D is correct because traffic between virtual routers must be explicitly permitted by a Security policy rule. Even though virtual routers provide separate routing tables, the firewall still enforces policy enforcement points; without a Security rule allowing the traffic, it will be denied by default. This ensures that inter-virtual-router traffic is inspected and controlled by the firewall's security engine.

Exam trap

The trap here is that candidates often confuse routing configuration (static or default routes) with security policy, assuming that if traffic can be routed, it will be allowed, but Palo Alto firewalls require an explicit Security rule to permit traffic between virtual routers.

How to eliminate wrong answers

Option A is wrong because a virtual wire is a Layer 2 transparent interface that bypasses routing and cannot be used to connect virtual routers, which operate at Layer 3. Option B is wrong because static routes only enable routing between virtual routers; they do not allow the firewall to inspect or permit the traffic, which requires a Security policy rule. Option C is wrong because default routes provide a path for traffic but do not override the implicit deny rule; the firewall still blocks inter-virtual-router traffic unless a Security rule explicitly allows it.

34
MCQmedium

A security engineer is creating a security policy that should allow access to Salesforce.com for the sales team. The engineer configures the policy to allow application 'ssl' with no restriction on URL category. How can the engineer ensure that only traffic to Salesforce.com is allowed and not all SSL traffic?

A.Use a destination address object for the known Salesforce IP addresses.
B.Change the application to 'web-browsing' and restrict by URL category.
C.Use App-ID to identify the 'salesforce' application and add a URL category for Salesforce domains.
D.Enable SSL decryption to inspect the traffic.
AnswerC

This combination provides precise identification of Salesforce traffic regardless of IP or encryption.

Why this answer

Option D is correct because using App-ID to identify 'salesforce' application and configuring a URL category for Salesforce domains ensures precise control. Option A is wrong because allowing all SSL traffic is too broad. Option B is wrong because the destination address does not cover all Salesforce IPs, and it's less precise.

Option C is wrong because SSL decryption alone does not restrict access to specific sites without policy application.

35
MCQmedium

Refer to the exhibit. A firewall has learned three routes for the 10.0.1.0/24 network. Which route will be used for forwarding traffic destined to 10.0.1.1?

A.The route via 10.0.0.3 on ethernet1/4
B.The route via 10.0.0.2 on ethernet1/3
C.The route via 10.0.0.4 on ethernet1/5
D.All three routes are used in ECMP
AnswerB

Correct: Lowest preference (10) and lowest metric (10).

Why this answer

The firewall selects the route with the lowest administrative distance (AD) for forwarding traffic to 10.0.1.1. In this scenario, the route via 10.0.0.2 on ethernet1/3 has an AD of 10 (typically OSPF), which is lower than the AD of 20 (static route) and 110 (RIP). Therefore, it is the preferred route.

Exam trap

The trap here is that candidates often assume ECMP applies whenever multiple routes exist, but they overlook that ECMP requires identical administrative distances and metrics, not just the same destination network.

How to eliminate wrong answers

Option A is wrong because the route via 10.0.0.3 on ethernet1/4 has an AD of 20 (static route), which is higher than the AD of 10 for the OSPF route, so it is not the best path. Option C is wrong because the route via 10.0.0.4 on ethernet1/5 has an AD of 110 (RIP), which is the highest among the three, making it the least preferred. Option D is wrong because ECMP (Equal-Cost Multi-Path) requires routes to have identical metrics and AD values; here, the ADs differ (10, 20, 110), so they are not equal-cost and cannot be used in ECMP.

36
MCQeasy

A small company runs a Palo Alto Networks PA-220 firewall with three zones: trust (internal users), untrust (internet), and dmz (public-facing services). They host a web server on IP 10.0.1.10 in the dmz zone, serving HTTPS content. The administrator created a security policy rule that allows traffic from untrust to dmz with source 'any', destination 10.0.1.10, service HTTPS, and action allow. No security profiles are applied to this rule. Users outside the company can access the web server successfully. However, the administrator notices from log reports that certain application-based attacks, such as SQL injection and cross-site scripting, are reaching the web server undetected. The firewall has the required threat prevention licenses installed. What is the best course of action to improve security posture?

A.Add a decryption policy to decrypt HTTPS traffic for inspection.
B.Change the rule's security profile group to include threat prevention profiles.
C.Move the web server to the trust zone and adjust routing.
D.Enable vulnerability protection profile on the existing rule.
AnswerA

Decryption allows the firewall to see the plaintext content of HTTPS sessions, enabling security profiles to detect and block application-layer attacks.

Why this answer

The correct answer is A because the traffic is HTTPS, which is encrypted. Without decryption, the firewall cannot inspect the payload for application-based attacks like SQL injection or XSS, even with threat prevention licenses. Adding a decryption policy allows the firewall to decrypt the traffic, apply threat prevention profiles, and detect these attacks.

Exam trap

The trap here is that candidates assume threat prevention profiles alone can inspect encrypted traffic, but without decryption, the firewall cannot see the application-layer payload, making profiles ineffective against HTTPS-based attacks.

How to eliminate wrong answers

Option B is wrong because security profiles cannot inspect encrypted traffic without decryption; applying a profile group without decryption would still leave attacks undetected. Option C is wrong because moving the web server to the trust zone would expose internal users to the public-facing service, violating security best practices and not addressing the inspection issue. Option D is wrong because enabling a vulnerability protection profile on the existing rule will not inspect encrypted HTTPS payloads; decryption is a prerequisite for any deep inspection of encrypted traffic.

37
MCQeasy

Two Palo Alto Networks firewalls are deployed in an active/passive high availability pair. The passive firewall does not synchronize configuration changes. What is the most likely cause?

A.Link monitoring is disabled.
B.The passive firewall is not configured as a peer.
C.The firewalls are different models.
D.Configuration synchronization is not enabled.
AnswerD

Configuration sync must be enabled in the HA settings to push config from active to passive.

Why this answer

Option D is correct. If session synchronization is enabled but configuration synchronization is not, the passive unit will not receive config changes. Option A is wrong because HA requires both to be the same model and PAN-OS version.

Option B is wrong because link monitoring does not affect config sync. Option C is wrong because the passive unit must be configured as part of the HA pair.

38
MCQhard

Refer to the exhibit. An administrator observes that HTTP requests from the 10.0.0.0/24 network to the 172.16.1.0/24 network are being logged but the logs show that the action taken is 'deny'. What is the most likely cause?

A.The rule 'Allow-Web' is disabled
B.The application 'web-browsing' is not correctly identified
C.The rule 'Allow-Web' is configured with action 'deny'
D.A different rule with higher priority is matching the traffic and denying it
AnswerD

Even though this rule matches, if a higher-priority rule denies the traffic, the log will reflect the deny from the first matching rule.

Why this answer

Option B is correct because the rule has 'log-start' enabled, which generates a log entry before the actual action is determined. If another rule with higher priority denies the traffic, the log will show the result of the first matching rule. Option A is wrong because the rule itself has action allow, so if it matches, it would allow.

Option C is wrong because even if the rule is disabled, it would not produce a log. Option D is wrong because the rule explicitly allows web-browsing.

39
MCQmedium

An administrator needs to create a rule that allows internal users to access a public web server hosted in the DMZ. The firewall is in layer 3 mode. Which rule configuration is correct for this scenario?

A.Source zone: DMZ, Destination zone: trust, Application: web-browsing, Action: allow
B.Source zone: trust, Destination zone: DMZ, Service: any, Application: any, Action: allow
C.Source zone: trust, Destination zone: DMZ, Application: web-browsing, Action: allow
D.Source zone: trust, Destination zone: trust, Application: web-browsing, Action: allow
AnswerC

This correctly permits internal users to access the DMZ web server using web-browsing application.

Why this answer

Option A is correct because traffic from trust to DMZ with application 'web-browsing' permits HTTP/HTTPS access. Option B is wrong because service 'any' is too broad. Option C is wrong because source zone should be 'trust', not 'DMZ'.

Option D is wrong because destination zone should be 'DMZ', not 'trust'.

40
Multi-Selecteasy

A network administrator is configuring a new Palo Alto Networks firewall for the first time. Which THREE initial configuration steps are required to allow basic outbound internet access from the internal network?

Select 3 answers
A.Configure a DNS proxy to resolve domain names.
B.Assign an IP address to the internal interface and set it as a Layer 3 interface.
C.Enable User-ID to identify users on the network.
D.Create a Security policy rule that allows traffic from internal zone to external zone.
E.Configure a source NAT policy to translate internal private IP addresses to the external public IP.
AnswersB, D, E

Required for internal network connectivity.

Why this answer

Option B is correct because the internal interface must be configured as a Layer 3 interface with an assigned IP address to route traffic. Without this, the firewall cannot forward packets from the internal network to the external network, as Layer 3 interfaces are required for IP routing and policy enforcement.

Exam trap

The trap here is that candidates often confuse optional features like DNS proxy or User-ID as mandatory steps, when in fact the core requirements are interface configuration, security policy, and NAT for outbound access.

41
MCQhard

An administrator wants to protect the firewall management interface from unauthorized access. The management interface is on a separate management network. Which of the following is the best security practice to restrict access?

A.Configure 'Permitted IP Addresses' under Device > Setup > Management.
B.Create a security policy rule that blocks traffic to the management interface.
C.Apply an interface management profile to the management interface.
D.Enable 'Trusted Management Stations' under firewall settings.
AnswerA

This setting restricts management access to a predefined list of IP addresses.

Why this answer

Option B is correct. Creating an ACL on the management interface using the 'permitted IP addresses' setting is the standard method to restrict management access. Option A is wrong because interface management profiles are for dataplane interfaces, not the management interface itself.

Option C is wrong because security policies do not apply to management traffic. Option D is wrong because the 'trusted management stations' option is not a configuration on the firewall.

42
MCQmedium

A network administrator notices that traffic from the internal network to a specific external server is being blocked unexpectedly. The firewall policy allows any-to-any outbound traffic. The administrator checks the Unified Policy and sees a Security policy rule that permits the traffic, but the traffic is still blocked. What is the most likely cause?

A.A Zone Protection profile is dropping the traffic.
B.The Security policy rule has a DoS Protection profile applied that is dropping traffic.
C.A decryption policy is blocking the traffic.
D.The Security policy rule has a source zone mismatch.
AnswerB

DoS Protection profiles can drop traffic even if the rule permits it.

Why this answer

When a Security policy rule permits traffic but it is still blocked, the most likely cause is that a DoS Protection profile is applied to the rule. DoS Protection profiles can drop traffic based on session rate thresholds or other attack signatures, even when the base Security rule allows the session. This is a common misconfiguration because the profile operates as an additional enforcement layer above the permit action.

Exam trap

The trap here is that candidates often confuse Zone Protection profiles (applied to zones) with DoS Protection profiles (applied to Security rules), leading them to incorrectly select Zone Protection as the cause of a per-rule traffic block.

How to eliminate wrong answers

Option A is wrong because Zone Protection profiles are applied to zones, not to individual Security policy rules, and they typically protect against flood attacks at the zone level, not per-rule traffic drops. Option C is wrong because a decryption policy controls whether traffic is decrypted or not, not whether it is blocked; decryption policies do not drop traffic by themselves. Option D is wrong because a source zone mismatch would cause the Security rule to not match at all, resulting in a default deny, but the question states the rule permits the traffic, implying the rule is matched correctly.

43
MCQhard

Your organization has deployed a Palo Alto Networks PA-5250 firewall in a high-availability active/passive configuration. The firewall is connected to two ISPs for redundancy. The internal network uses OSPF with the firewall as an ASBR redistributing a default route. Recently, users reported intermittent connectivity to external resources. During troubleshooting, you notice that the active firewall's management interface has high CPU usage, and the show session all command displays many sessions in the 'active' state but with minimal data transfer. The passive firewall shows no such issues. The OSPF neighbor relationships are stable. What is the most likely cause of the intermittent connectivity?

A.OSPF is flapping and causing route instability.
B.Asymmetric routing is occurring due to a misconfiguration in the active/passive HA setup.
C.A DDoS attack is overwhelming the management plane.
D.The firewall's licenses have expired, causing feature degradation.
AnswerB

Asymmetric routing can cause sessions to be stuck and high management CPU as the firewall tries to process out-of-state packets.

Why this answer

In an active/passive HA configuration, only the active firewall processes traffic. If asymmetric routing occurs—where traffic from the internal network to the internet uses one ISP link on the active firewall, but return traffic arrives via the other ISP link—the active firewall may see the return traffic as a new session or a non-symmetric flow. This causes the firewall to create sessions that remain in 'active' state with minimal data transfer, as the firewall attempts to match return packets to existing sessions but fails due to path asymmetry.

The high CPU on the management interface results from the control plane processing these mismatched sessions, while the passive firewall is unaffected because it does not handle traffic.

Exam trap

The trap here is that candidates often attribute high CPU on the management interface to a DDoS attack or license issues, but the key clue is the 'active' sessions with minimal data transfer, which points to asymmetric routing in an HA environment rather than a control-plane attack or feature degradation.

How to eliminate wrong answers

Option A is wrong because OSPF neighbor relationships are stable, as stated in the scenario, and there is no evidence of route flapping; OSPF flapping would cause route instability and neighbor state changes, not high CPU on the management interface with many active sessions. Option C is wrong because a DDoS attack overwhelming the management plane would typically cause high CPU on the management interface but would also likely show a flood of sessions in various states (e.g., SYN_SENT or TIME_WAIT), not specifically 'active' sessions with minimal data transfer; additionally, the passive firewall would not be immune if the attack targeted the management IP. Option D is wrong because expired licenses cause feature degradation (e.g., no threat prevention or URL filtering), but they do not cause high CPU on the management interface or create many active sessions with minimal data transfer; the firewall would still forward traffic normally for basic connectivity.

44
Multi-Selecteasy

Which TWO of the following are required to configure a site-to-site VPN using IKEv2 on Palo Alto Networks firewalls? (Choose TWO.)

Select 2 answers
A.An IKE gateway configuration
B.A pre-shared key or certificate for authentication
C.A tunnel interface with a valid IP address
D.A loopback interface for the VPN gateway
E.A dedicated virtual router for the VPN
AnswersB, C

IKEv2 requires authentication, typically via pre-shared key or certificate.

Why this answer

Options A and D are correct: A pre-shared key (or certificate) and a tunnel interface are required. Option B is wrong because an IKE gateway configuration is also needed but the question asks for required components; tunnel interface and pre-shared key are both required. Option C is wrong because a virtual router is not specifically required; the default virtual router can be used.

Option E is wrong because a loopback interface is not needed.

45
MCQhard

A company has a Palo Alto Networks firewall in a data center, connecting internal users (zone: Internal) to the internet (zone: Untrust). Recently, users report that they cannot access the corporate HR portal hosted on a server in the DMZ (zone: DMZ, IP 10.10.10.10) using HTTPS. The firewall has a security policy that allows traffic from Internal to DMZ with application web-browsing and service https-ssl. The policy is in place and committed. The administrator verifies that the web server is running and reachable from within the DMZ. From the firewall, a ping from the management interface to the server is successful. However, when a user tries to access https://10.10.10.10, the connection times out. Traffic logs show no sessions logged for that traffic. What is the most likely cause?

A.The policy is missing the source zone; the traffic is being blocked by an implicit deny rule before any policy match.
B.There is a routing issue preventing return traffic from reaching the firewall.
C.The policy has the wrong destination zone; the server is actually in the Internal zone.
D.The firewall is not configured to perform SSL decryption; thus HTTPS traffic is being blocked.
AnswerA

If the source zone is not correctly configured, the policy won't match, and the traffic will hit the implicit deny rule, resulting in no log entries.

Why this answer

Option A is correct. Since there are no sessions in the traffic log, the traffic is being dropped by the implicit deny rule, meaning no security policy matched. The most likely reason is that the policy's source zone is not set to Internal; if it were set to another zone (e.g., Untrust), the traffic from Internal would not match.

Option B would likely produce sessions if matched by another policy. Option C would show sessions but no return traffic. Option D is incorrect because SSL decryption is not required for HTTPS to be allowed through the firewall.

46
MCQhard

An organization is planning to deploy SSL decryption for outbound traffic. They want to inspect all traffic from internal users to the internet, but they need to exclude traffic to financial sites for compliance reasons. Which approach should be taken?

A.Disable SSL decryption for all traffic.
B.Configure a decryption exception on the firewall system settings.
C.Create a decryption policy with a custom URL category that includes financial sites and set the action to 'no-decrypt', then place it above the general decrypt rule.
D.Use an application filter to exclude financial apps from decryption.
AnswerC

This allows precise exclusion of financial sites while decrypting everything else.

Why this answer

Option C is correct because creating a decryption policy with a custom URL category for financial sites set to 'no-decrypt' allows exclusion while still decrypting other traffic. Option A is wrong because disabling decryption entirely defeats the purpose. Option B is wrong because an application filter might not cover all financial traffic and could miss some.

Option D is wrong because configuring decryption exception on the firewall system settings is not how decryption exclusions are handled; it's done via policy.

47
MCQeasy

A company uses destination NAT to translate a public IP to an internal server. They need to ensure that traffic sourced from the internal network to the public IP is also translated correctly. What is the best practice to achieve this?

A.Disable NAT on the internal zone's loopback interface.
B.Configure a policy-based forwarding rule to redirect internal traffic.
C.Add an additional destination NAT rule for internal traffic.
D.Implement a source NAT rule for internal traffic destined to the public IP, translating it to the internal server IP.
AnswerD

This is the standard NAT hairpin configuration that allows internal users to access the server via its public IP.

Why this answer

Option B is correct because implementing NAT policy rules in both directions (source NAT for internal traffic to the public IP and destination NAT for external traffic) ensures symmetric traffic flow. Option A is wrong because policy-based forwarding is unrelated. Option C is wrong because an additional destination NAT rule for internal traffic would create asymmetric routing.

Option D is wrong because disabling NAT on the loopback interface does not solve the issue.

48
MCQeasy

Which of the following is a best practice when configuring an HA (High Availability) pair of Palo Alto Networks firewalls?

A.Set both firewall's HA election delay to '0' for fast failover
B.Use a dedicated physical interface or VLAN for HA heartbeat communication
C.Enable preemptive mode to ensure the primary firewall always resumes control
D.Configure both firewalls in active/active mode to maximize throughput
AnswerB

A dedicated interface ensures HA heartbeat packets are not impacted by traffic loads or routing changes.

Why this answer

Option A is correct because using a dedicated heartbeat interface on a separate subnet ensures reliable communication and avoids routing issues. Option B is wrong because active/active is less common and more complex; active/passive is recommended for most deployments. Option C is wrong because preemptive mode can cause unnecessary failovers if not carefully configured.

Option D is wrong because setting both firewalls to 'auto' election is standard, but the best practice is to use a dedicated link.

49
Drag & Dropmedium

Drag and drop the steps to configure a NAT policy on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NAT policy configuration requires specifying original and translated addresses, service, and committing.

50
Multi-Selecthard

A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?

Select 2 answers
A.Create a Security policy rule that allows traffic from any source to the web server on destination ports 80 and 443.
B.Configure an SSL Forward Proxy decryption policy to decrypt HTTPS traffic.
C.Create a Security policy rule that allows all traffic to the web server and relies on Application ID to filter.
D.Create a Security policy rule that blocks all traffic not matching the web-browsing and ssl applications.
E.Attach a Vulnerability Protection profile to the Security policy rule.
AnswersA, E

This permits HTTP and HTTPS traffic.

Why this answer

Option A is correct because a Security policy rule explicitly allowing traffic to destination ports 80 and 443 ensures only HTTP and HTTPS traffic reaches the web server, aligning with the requirement to restrict allowed traffic. This rule uses port-based matching to permit only the specified services, which is a foundational step in controlling access.

Exam trap

The trap here is that candidates may confuse decryption policies (Option B) with security policies, or think that blocking all non-matching traffic (Option D) is sufficient without an explicit allow rule, but the PCNSA emphasizes that explicit allow rules are required for permitted traffic.

Ready to test yourself?

Try a timed practice session using only Core Concepts questions.