CCNA Securing Traffic Questions

53 questions · Securing Traffic · All types, answers revealed

1
Multi-Selectmedium

Which THREE are valid methods to decrypt SSL/TLS traffic on a Palo Alto Networks firewall? (Choose three.)

Select 3 answers
A.IPsec Decryption
B.SSH Proxy
C.SSL Inbound Inspection
D.Decryption Mirror
E.SSL Forward Proxy
AnswersB, C, E

Decrypts SSH traffic for inspection.

Why this answer

SSH Proxy is a valid method for decrypting SSL/TLS traffic on a Palo Alto Networks firewall because it allows the firewall to act as a man-in-the-middle for SSH connections, decrypting the SSH tunnel to inspect the encapsulated traffic. This is distinct from SSL/TLS decryption but is grouped under the same decryption feature set for inspecting encrypted protocols.

Exam trap

The trap here is that candidates may confuse Decryption Mirror (a monitoring tool) with a decryption method, or mistakenly think IPsec Decryption applies to SSL/TLS, when in fact IPsec operates at a different layer and is not used for SSL/TLS traffic inspection.

2
MCQeasy

When configuring a security policy rule to allow HTTP traffic from the internal zone to the external zone, which mandatory components must be defined?

A.Source Zone, Destination Zone, Application, and User
B.Source Zone, Destination Zone, Application, and Service
C.Source Zone, Destination Zone, Service, and Action
D.Source Zone, Destination Zone, Source Address, Destination Address, Application, and Action
AnswerD

These are the minimum required fields in a security policy rule.

Why this answer

Option D is correct because a security policy rule in Palo Alto Networks firewalls requires at minimum the source zone, destination zone, source address, destination address, application, and action to be defined. For HTTP traffic from internal to external zones, these components ensure the rule is specific enough to match the intended traffic while leveraging App-ID for application identification, not just port-based service definitions.

Exam trap

The trap here is that candidates often confuse Service with Application, assuming a port-based service (like TCP/80) is mandatory, but Palo Alto emphasizes App-ID as the primary identifier, making Service optional when Application is defined.

How to eliminate wrong answers

Option A is wrong because User is not a mandatory component; it is optional for user-based policy enforcement via User-ID, but not required for basic HTTP traffic. Option B is wrong because Service is not mandatory when Application is defined; App-ID identifies the application (e.g., HTTP) regardless of port, making Service redundant or optional. Option C is wrong because it omits Application and Source/Destination Address, which are mandatory; Service alone cannot replace Application for proper traffic identification, and Action is listed but the rule still lacks required address objects.

3
MCQhard

A security administrator notices traffic from an internal user to a known malicious IP address in the corporate network. The traffic is allowed despite a security rule that blocks traffic to that IP. The rule is in a rulebase with multiple rules, and the administrator verifies that the malicious IP is correctly listed in a custom object used by the rule. What is the most likely cause of this issue?

A.The security profile group applied to the rule is blocking the traffic before the rule is evaluated.
B.The custom object containing the malicious IP was not committed.
C.A rule with a broader match exists above the blocking rule in the rulebase.
D.The device clock is out of sync, causing time-based rules to fail.
AnswerC

Rules are evaluated from top to bottom; a rule above that matches the traffic will apply, bypassing the blocking rule.

Why this answer

In Palo Alto Networks firewalls, rules are evaluated from top to bottom in the rulebase. If a rule with a broader match (e.g., allowing all traffic from a specific zone or application) is placed above the specific blocking rule, traffic matching the broader rule will be permitted before reaching the block rule. This is the most likely cause because the administrator confirmed the custom object is correct and committed, ruling out configuration errors.

Exam trap

The trap here is that candidates may assume a correctly configured object guarantees enforcement, overlooking the fundamental rulebase ordering principle where a higher-priority allow rule can override a lower-priority block rule.

How to eliminate wrong answers

Option A is wrong because security profile groups are applied after a rule is matched and do not block traffic before rule evaluation; they inspect allowed traffic. Option B is wrong because the administrator verified the custom object is correctly listed, implying it was committed; uncommitted objects would not be listed in the rule. Option D is wrong because an out-of-sync device clock affects time-based rules only if the rule has a schedule configured, and the question does not mention any time-based condition.

4
MCQhard

A firewall is configured with multiple virtual systems (vsys). An administrator wants to allow traffic from vsys1 to vsys2 while keeping other inter-vsys traffic blocked. How should this be accomplished?

A.Configure intra-vsys security policy for each vsys and allow the traffic.
B.Enable inter-vsys traffic globally in the firewall settings.
C.Traffic between vsys is automatically allowed.
D.Create a security policy rule with source zone from vsys1 and destination zone from vsys2, action allow.
AnswerD

Inter-vsys traffic is controlled by security policies using zones from different vsys.

Why this answer

Option C is correct because inter-vsys traffic is controlled by a security policy with source zone in vsys1 and destination zone in vsys2. Option A is wrong because inter-vsys rules exist, it's not automatic. Option B is wrong because there is no global setting.

Option D is wrong because intra-vsys is within same vsys.

5
MCQeasy

A company wants to block all social media except LinkedIn. Which combination of URL filtering actions should be implemented?

A.Block the social-networking category and allow a custom URL category containing LinkedIn URLs.
B.Alert the social-networking category and block a custom URL category for LinkedIn.
C.Block the social-networking category and block a custom URL category for LinkedIn.
D.Allow the social-networking category and block a custom URL category for LinkedIn.
AnswerA

Block the category, then allow the specific override.

Why this answer

Option C is correct because blocking the social-networking category and then creating a custom URL category with LinkedIn's URLs set to allow overrides the block. Option A is wrong because allowing social-networking would allow all social media. Option B is wrong because blocking LinkedIn specifically would also block it.

Option D is wrong because alert does not block.

6
Multi-Selecthard

Which TWO actions should be taken to protect against DNS tunneling? (Choose two.)

Select 2 answers
A.Enable DNS Security on the outbound DNS traffic.
B.Configure DNS policies to block requests to unknown domains.
C.Allow all TCP traffic on port 53.
D.Enable logging on all DNS traffic for analysis.
E.Block all UDP traffic on port 53.
AnswersA, B

DNS Security detects tunneling attempts.

Why this answer

Option A is correct because DNS Security (DNSsec) on Palo Alto Networks firewalls can inspect and block DNS tunneling by identifying anomalous DNS queries and responses, such as those with unusually long domain names or high query rates. This feature uses threat intelligence and machine learning to detect tunneling attempts without relying solely on static domain block lists.

Exam trap

The trap here is that candidates often confuse passive monitoring (logging) with active prevention, or mistakenly think blocking all UDP on port 53 is a viable solution, not realizing it breaks legitimate DNS traffic.

7
MCQmedium

A company's security policy uses application-based rules. However, some traffic from a new cloud application is being blocked even though the application is allowed in the rule. What should the administrator check first?

A.Verify the source and destination zones are correct.
B.Ensure the application is identified by App-ID and that the correct application name is used.
C.Confirm that the action is set to allow.
D.Check the order of security rules.
AnswerB

Unknown or uncategorized applications may not match the rule.

Why this answer

Option D is correct because the application might not be identified by App-ID if the traffic is encrypted or unknown. The administrator should verify the application is recognized. Option A is wrong because rule order is less likely if the rule matches.

Option B is wrong because zones are configured. Option C is wrong because the rule already allows application; blocking is a different action.

8
Multi-Selectmedium

An organization wants to segment internal traffic between the Engineering and Finance departments and apply threat prevention. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Configure NAT policies to translate internal addresses.
B.Define separate security zones for Engineering and Finance.
C.Create a single security zone for all internal traffic.
D.Enable QoS policies between the zones.
E.Apply Threat Prevention profiles to the inter-zone security rules.
AnswersB, E

Separate zones allow fine-grained security policies between departments.

Why this answer

Option B is correct because security zones are the fundamental building blocks for segmenting traffic in Palo Alto Networks firewalls. By placing Engineering and Finance interfaces into separate zones, you create a trust boundary that allows you to enforce inter-zone security rules. Option E is correct because applying Threat Prevention profiles (e.g., antivirus, anti-spyware, vulnerability protection) to the inter-zone rule enables the firewall to inspect and block malicious traffic between the segmented departments.

Exam trap

The trap here is that candidates often confuse NAT or QoS with security controls, thinking address translation or bandwidth management can segment traffic, when in fact only zones and security rules enforce access control and threat inspection.

9
MCQhard

An administrator notices that SSH tunnels are being blocked by the firewall. According to the exhibit, what is the most likely cause?

A.The policy "Allow_SSH" has tunnel detection set to none, so it does not match.
B.The application tunnel policy "Block_Tor" is blocking all tunnels.
C.The time-to-live setting prevents SSH tunnel detection.
D.The default action for application tunnels is deny.
AnswerA

Without tunnel detection, the firewall cannot identify SSH tunnels, so the Allow_SSH policy never applies, and tunnels are likely blocked by the default or other rules.

Why this answer

Option D is correct because tunnel detection set to 'none' on the Allow_SSH policy means the firewall does not detect SSH tunnels, so they are not allowed. The default behavior for application tunnels is to check tunnel detection attributes; without detection, the tunnel policy does not match. Option A is wrong because Block_Tor only blocks Tor.

Option B is not necessarily default. Option C is not relevant.

10
Multi-Selectmedium

Which TWO actions can be taken in a security policy rule to allow traffic from the corporate network to the internet while also logging the traffic?

Select 2 answers
A.Set the rule action to 'reset-both'.
B.Set the rule action to 'allow'.
C.Set the rule action to 'deny'.
D.Enable 'Log at Session Start' in the rule.
E.Enable 'Log at Session End' in the rule.
AnswersB, E

Allow permits traffic through the firewall.

Why this answer

Option B is correct because setting the rule action to 'allow' permits the traffic from the corporate network to the internet, which is the primary requirement. To also log the traffic, you must enable logging; 'Log at Session End' (Option E) is the standard method to capture session details after the connection completes. Together, these two settings achieve both allowing and logging the traffic.

Exam trap

The trap here is that candidates often confuse 'Log at Session Start' with 'Log at Session End', thinking that logging at the start is sufficient for full traffic logging, but in reality, session-end logs provide the complete session metadata needed for security analysis.

11
MCQmedium

A user at source IP 10.1.1.1 initiates an HTTPS connection to a web server on the internet. Which rule will the traffic match?

A.Rule 1: allow-http-from-trust-to-untrust (allow)
B.Rule 3: allow-dns-from-trust-to-untrust (allow)
C.Rule 2: deny-all-from-trust-to-untrust (deny)
D.No rule matches; implicit deny will block the traffic.
AnswerC

Since HTTPS is not HTTP, rule 1 fails; rule 2 matches any application and denies.

Why this answer

Option A is correct because rule 1 matches HTTP only; HTTPS is a different application (ssl). Rule 2 does not match because it is after rule 1? Actually the traffic hits rule 1 first, but since application is http and not ssl, rule 1 does not match. Then rule 2 matches because it applies to any application from 10.0.0.0/8, so it matches and denies the traffic.

Rule 3 is for DNS only. So traffic will be denied by rule 2.

12
Drag & Dropmedium

Drag and drop the steps to perform a packet capture (tcpdump) on a Palo Alto Networks firewall using the CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Packet capture involves entering CLI, issuing tcpdump with filters, stopping the capture, and exporting the file.

13
Multi-Selecteasy

An administrator wants to enforce that only certain approved applications can be used on the network. Which TWO features should be configured?

Select 2 answers
A.WildFire
B.User-ID
C.Application-ID
D.URL Filtering
E.Content-ID
AnswersC, E

Allows identification and enforcement based on application signatures.

Why this answer

Options A and C are correct. Application-ID identifies and controls applications, while Content-ID controls file transfers and data patterns. User-ID controls user access, URL filtering controls web categories, WildFire analyzes unknown files.

14
Multi-Selectmedium

When creating a security policy to block malware, which THREE profile types should be applied for comprehensive protection?

Select 3 answers
A.Antivirus
B.URL Filtering
C.Vulnerability Protection
D.File Blocking
E.Anti-Spyware
AnswersA, C, E

Scans for known viruses and malware.

Why this answer

Options A, B, and C are correct. Antivirus blocks known malware, Anti-Spyware blocks spyware and grayware, and Vulnerability Protection blocks exploit attempts. URL Filtering is for categories, File Blocking blocks specific files.

15
MCQhard

During a security audit, it is discovered that some applications are being incorrectly identified by the Palo Alto Networks firewall. What should the administrator do to improve application identification accuracy?

A.Enable SSL Decryption to inspect encrypted traffic.
B.Change the security policy to use port-based rules instead of application-based.
C.Create custom application signatures for the misidentified applications.
D.Verify that App-ID updates are current and enable application identification enhancements such as use of application override if needed.
AnswerD

Updating App-ID and using enhancements like application override can correct misidentification.

Why this answer

Option C is correct because ensuring App-ID updates are current and using application identification enhancements (like application override when needed) improves accuracy. Option A may help but not directly address misidentification. Option B is possible but not first step.

Option D is regressive.

16
MCQhard

Based on the log entry, what is the most likely reason for the TCP reset from the client?

A.The connection timed out.
B.The security policy blocked the traffic.
C.The web server sent a reset to the client.
D.The client detected a certificate error and closed the connection.
AnswerD

Client resets can occur due to SSL/TLS handshake failures.

Why this answer

Option C is correct because a client may send a reset if it receives an unexpected response, such as a certificate error. HTTPS traffic is encrypted; if the server's certificate is invalid or the firewall's decryption is misconfigured, the client may reject the connection and send a reset. Option A is wrong because a timeout would show tcp-timeout.

Option B is wrong because if the server reset, it would be tcp-rst-from-server. Option D is wrong because application is ssl; it's not blocked.

17
Multi-Selecteasy

Which TWO security profile types are used to block known malware? (Choose two.)

Select 2 answers
A.File Blocking
B.URL Filtering
C.Anti-Spyware
D.Antivirus
E.Vulnerability Protection
AnswersA, D

File blocking can block malicious file types.

Why this answer

Options A and C are correct. Antivirus blocks malware based on signatures. File Blocking blocks specific file types, which can include malicious files.

Anti-spyware blocks spyware specifically. Vulnerability Protection blocks exploits, not malware files. URL Filtering controls URLs.

18
Multi-Selectmedium

Which TWO of the following are valid methods to bypass URL filtering for internal users while still enforcing it on external traffic?

Select 2 answers
A.Enable URL Filtering profile override on the user-id agent configuration.
B.Create a security rule with a URL category set to 'internal-ip'.
C.Set the URL Filtering profile action to 'alert' instead of 'block'.
D.Add the user's IP address to an exemption list in the URL filtering profile.
E.Use a custom URL category list that includes the allowed internal websites.
AnswersB, E

The 'internal-ip' category is predefined to match traffic to internal IP addresses and bypasses URL filtering.

Why this answer

Options A and C are correct. The 'internal-ip' URL category automatically bypasses URL filtering for internal IPs, and custom URL categories allow specifying sites to exempt. Option B is incorrect because URL filter override via user-id agent is not a standard feature.

Option D is incorrect because setting a profile to 'alert' does not bypass filtering, it only logs. Option E is incorrect because there is no IP exemption list in URL filtering profiles.

19
MCQhard

A financial services company uses a Palo Alto Networks PA-5220 firewall in an active/passive HA pair at their headquarters. They have a single zone 'Trust-LAN' for internal users and a single zone 'Untrust-WAN' for internet traffic. The security policy currently includes a rule that allows all outbound HTTP/HTTPS traffic from 'Trust-LAN' to 'Untrust-WAN' with no security profiles applied. Recently, users have been complaining about slow internet performance, and the IT team suspects malware or botnet activity. The firewall's logs show numerous sessions to known malicious IPs, but the firewall is not blocking them. The network architect decides to implement URL Filtering and Threat Prevention profiles on the outbound rule. However, after committing the changes, some users report that legitimate websites (e.g., online banking, cloud apps) are being blocked. The IT team verifies that the URL Filtering profile is set to 'alert' for all categories except 'malware' which is 'block', and the Threat Prevention profile is set to 'default' action. What is the most likely cause of the legitimate website blocking?

A.The URL Filtering profile's 'uncategorized' category is set to 'block', blocking sites not in the URL database.
B.The security rule order is incorrect; a deny rule above the allow rule is blocking legitimate traffic.
C.The URL Filtering profile is applied at the zone level, not per rule, causing all traffic to be filtered.
D.The firewall has insufficient memory to process URL lookups and is dropping packets.
AnswerA

This is a common cause: uncategorized URLs are blocked by default if the action is not 'alert'.

Why this answer

Option A is correct because the URL Filtering profile is set to 'alert' for all categories except 'malware' which is 'block'. However, if the 'uncategorized' category is set to 'block', any website not yet categorized in Palo Alto Networks' URL database (e.g., new or less common legitimate sites like online banking portals or cloud apps) will be blocked. This explains why legitimate sites are being blocked despite the profile being permissive for known categories.

Exam trap

The trap here is that candidates assume only the explicitly mentioned categories (e.g., 'malware') matter, overlooking the 'uncategorized' category which is often set to 'block' by default or inadvertently, causing legitimate traffic to be blocked.

How to eliminate wrong answers

Option B is wrong because the question states the security policy includes a single rule allowing outbound HTTP/HTTPS traffic, and there is no mention of a deny rule above it; incorrect rule order would cause all traffic to be blocked, not just specific legitimate sites. Option C is wrong because URL Filtering profiles are applied per security rule, not at the zone level; zone-level application is not a feature of Palo Alto Networks firewalls. Option D is wrong because insufficient memory would cause packet drops or performance degradation across all traffic, not selective blocking of legitimate websites, and the firewall's logs show sessions to malicious IPs are not being blocked, indicating memory is not the issue.

20
MCQmedium

An administrator needs to allow inbound SMTP traffic to a mail server located in the DMZ. The firewall has a public IP address on the external interface. Which configuration is necessary to ensure the mail server receives the traffic?

A.Configure a Source NAT rule to translate the mail server's IP to the public IP.
B.Configure a Destination NAT rule and a security policy rule allowing SMTP from external to DMZ.
C.Configure a security policy rule with source NAT to translate the public IP to the private IP.
D.Configure a security policy rule allowing SMTP from external to DMZ without NAT.
AnswerB

Destination NAT translates the public IP to the private IP, and the policy allows the traffic.

Why this answer

To allow inbound SMTP traffic from the internet to a mail server in the DMZ, the firewall must perform Destination NAT (DNAT) to translate the public IP address on the external interface to the private IP address of the mail server. A corresponding security policy rule must permit SMTP (TCP port 25) traffic from the external zone to the DMZ zone. Without DNAT, the firewall would not know which internal server should receive the traffic, and without the security rule, the traffic would be blocked.

Exam trap

The trap here is that candidates often confuse Source NAT with Destination NAT, assuming any NAT rule will work, or they think a security policy alone is sufficient without understanding that NAT is required to route the traffic to the internal server.

How to eliminate wrong answers

Option A is wrong because Source NAT (SNAT) translates the source IP of outbound traffic, not the destination IP of inbound traffic; it would not help the mail server receive inbound SMTP. Option C is wrong because it incorrectly describes a security policy rule with source NAT, which is not a valid configuration for inbound traffic; source NAT is used for outbound traffic, and the translation described (public to private) is actually destination NAT. Option D is wrong because without a NAT rule, the firewall would not translate the destination IP from the public IP to the private IP of the mail server, so the traffic would not reach the server even if the security policy allows it.

21
Multi-Selecthard

Which THREE components are required to successfully decrypt outbound SSL traffic using forward proxy? (Choose three.)

Select 3 answers
A.A root CA certificate installed in the trusted root store on client devices.
B.The private key of each destination server.
C.The server certificate for each destination server.
D.A decryption policy rule that matches the traffic to be decrypted.
E.A decryption profile that specifies the forward proxy certificate (CA certificate).
AnswersA, D, E

Clients must trust the CA that signs the decrypted sessions.

Why this answer

Options A, B, and D are correct. The root CA certificate must be installed on clients so they trust the firewall's generated certificates. A decryption policy rule defines which traffic to decrypt.

A decryption profile specifies the forward proxy certificate (the CA cert). Option C is wrong because the server certificate is not needed on clients. Option E is wrong because the private key is on the server, not required.

22
Multi-Selecthard

An organization uses GlobalProtect for remote access. They want to ensure that only compliant devices can connect. Which TWO GlobalProtect features should be enabled?

Select 2 answers
A.Gateway configuration
B.Host Information Profile (HIP)
C.Client certificates
D.App-IP mapping
E.Pre-logon
AnswersB, C

HIP checks device posture and enforces compliance.

Why this answer

Options A and C are correct. Host Information Profile (HIP) checks device compliance (OS, antivirus, etc.) and client certificates authenticate the device. Gateway configuration is basic, pre-logon is for always-on, App-IP mapping is not used.

23
MCQmedium

A user reports being unable to access an external FTP server, but other users can access it. The firewall logs show the traffic being denied. What should the administrator check first?

A.User-ID mapping to ensure the user is correctly identified.
B.The application override configuration.
C.The security rule for the user's source zone.
D.The FTP server's health.
AnswerA

If the user is not correctly identified, policies based on user (like group-based allow/deny) may not apply correctly.

Why this answer

Option B is correct because if other users can access the same server, the issue is likely user-specific, and checking user-ID mapping ensures the user is correctly identified and the proper security rules apply. Option A is less likely as other users have same source zone. Option C is external.

Option D is not relevant.

24
MCQhard

An organization has implemented SSL forward proxy decryption. Users on Windows workstations report that many HTTPS sites show certificate errors. The firewall's decryption policy is configured correctly. What is the most likely cause?

A.The firewall's CA certificate is not installed in the trusted root certificate store on client workstations.
B.The decryption policy does not specify a certificate for forward proxy.
C.The CRL (Certificate Revocation List) is not enabled on the firewall.
D.The server certificate for each HTTPS site is missing from the client's certificate store.
AnswerA

Clients need to trust the CA that signs the decrypted certificates.

Why this answer

Option A is correct because the firewall's CA certificate must be trusted by client browsers. Without it, the dynamically generated certificates for remote sites are not trusted. Option B is wrong because the server certificate is not needed on clients.

Option C is wrong because the decryption policy does not require a certificate on the firewall. Option D is wrong because CRL is for revocation, not trust.

25
MCQmedium

A security administrator notices that traffic from the internal trust zone to the external untrust zone is being allowed despite a security policy rule explicitly denying that traffic. The rule is present in the policy list and the match conditions seem correct. What is the most likely cause of this issue?

A.The security policy is not enabled on the firewall.
B.The deny rule was removed from the configuration.
C.The traffic is matching the implicit deny rule at the end.
D.There is an allow rule above the deny rule that matches the traffic first.
AnswerD

Rule order evaluation stops on first match; allow rule above the deny will permit traffic.

Why this answer

Option D is correct because any deny rule placed after a matching allow rule will not be evaluated if the allow rule is hit first. Rule order is critical in PAN-OS. Option A is wrong because removing the rule is not the cause.

Option B is wrong because policy is not optional. Option C is wrong because implicit deny exists but only if no rule matches.

26
MCQeasy

Refer to the exhibit. A user at IP 10.10.10.10 tries to browse to http://192.0.2.50. Which rule matches this traffic?

A.Rule 3 (allow-dns)
B.Rule 2 (block-malware)
C.Rule 1 (allow-web)
D.No rule matches; traffic is denied by default.
AnswerC

The traffic matches all criteria in rule 1 and is allowed.

Why this answer

Rule 1 (allow-web) matches because it permits HTTP traffic from source 10.10.10.10 to destination 192.0.2.50 on port 80. The user is browsing to http://192.0.2.50, which uses TCP port 80, and the rule's source and destination IPs align with the traffic flow. In Palo Alto Networks firewalls, rules are evaluated in order, and the first match is applied.

Exam trap

Palo Alto Networks often tests the concept that rule order matters and that a more specific rule (like allow-web) will match before a generic block rule, leading candidates to incorrectly assume a later block rule would apply if they overlook the explicit allow rule earlier in the list.

How to eliminate wrong answers

Option A is wrong because Rule 3 (allow-dns) is designed for DNS traffic (UDP/TCP port 53), not HTTP (TCP port 80), and the destination IP 192.0.2.50 is not a DNS server in this context. Option B is wrong because Rule 2 (block-malware) would block traffic based on threat signatures or malicious IPs, but the traffic is a legitimate HTTP request to 192.0.2.50, and no malware indicators are present. Option D is wrong because Rule 1 matches the traffic, so the default deny action is not triggered; the firewall applies the first matching rule.

27
MCQeasy

An organization wants to hide internal IP addresses when accessing the Internet. Which type of NAT should be configured?

A.Source NAT (Outbound)
B.Dynamic IP and Port (DIPP)
C.Destination NAT
D.Static NAT
AnswerA

Source NAT changes the source IP to the firewall's interface IP.

Why this answer

Option B is correct because source NAT (translation of source IP) is used to hide internal addresses. Option A is wrong because destination NAT translates incoming traffic. Option C is wrong because static NAT maps one-to-one and does not hide.

Option D is wrong because this is not a standard PAN NAT type.

28
MCQmedium

A company uses SSL Forward Proxy to decrypt all outbound HTTPS traffic. Users report significant performance degradation when accessing external web applications. Which action should the administrator take to improve performance while maintaining security?

A.Create a decryption exclusion rule for financial and banking websites.
B.Increase the session timeout values for decrypted traffic.
C.Enable hardware SSL decryption offloading on the firewall.
D.Change the decryption profile to require only high-strength ciphers.
AnswerA

Excluding high-value but sensitive categories reduces decryption load and complies with regulatory standards, thus improving performance.

Why this answer

Option B is correct because excluding certain sensitive or unnecessary categories (e.g., banking) reduces decryption load and related performance issues. Option A is incorrect because hardware offloading may not be available or may not address the root cause. Option C is incorrect because increasing session timeouts does not reduce decryption processing.

Option D is incorrect because using high-strength ciphers increases processing overhead.

29
MCQmedium

A company configures GlobalProtect for remote access. Remote users can successfully connect to the firewall and obtain an IP address, but they cannot access internal resources (e.g., file servers) located in the internal network. The firewall has a security rule that allows traffic from the GlobalProtect zone to the internal zone with appropriate applications. Logs show that traffic from remote users is being matched to a different rule that denies inter-zone traffic from the GlobalProtect zone to the internal zone. The administrator checks the GlobalProtect gateway configuration and sees that the gateway assigns IP addresses from a pool, but no internal routes are defined. What is the most likely issue? The GlobalProtect gateway configuration is missing internal resource routes or split-tunneling settings. The User-ID agent is not mapping remote usernames correctly. The source zone in the security rule is set to 'Trust' instead of 'GlobalProtect'. The internal resources require a specific security profile that is not applied to the rule.

A.The internal resources require a specific security profile that is not applied to the rule.
B.The User-ID agent is not mapping remote usernames correctly.
C.The GlobalProtect gateway configuration is missing internal resource routes or split-tunneling settings.
D.The source zone in the security rule is set to 'Trust' instead of 'GlobalProtect'.
AnswerD

If the rule expects source zone 'Trust', traffic from GlobalProtect zone won't match, and a subsequent deny rule blocks it.

Why this answer

Option C is correct because if the security rule's source zone is 'Trust' instead of 'GlobalProtect', traffic from the GlobalProtect zone will not match the intended rule and will fall through to a default deny rule. Option A is incorrect because internal resource routes are for routing, not policy matching. Options B and D are less likely given the log behavior.

30
MCQeasy

An organization wants to prevent data exfiltration via DNS tunneling. Which security profile should be applied to the outbound DNS traffic?

A.DNS Security profile
B.Vulnerability Protection profile
C.URL Filtering profile
D.Anti-Spyware profile
AnswerA

DNS Security is designed to detect and block DNS tunneling.

Why this answer

DNS Security profile is specifically designed to detect and block DNS tunneling, which is a technique used to exfiltrate data by encoding it within DNS queries and responses. By inspecting DNS traffic for anomalies such as high query rates, unusual domain names, or non-standard record types, the DNS Security profile can identify and prevent data exfiltration attempts. Other security profiles do not have the specialized DNS-layer inspection capabilities required to counter this threat.

Exam trap

The trap here is that candidates often confuse DNS Security with Anti-Spyware, assuming that spyware signatures will catch tunneling, but DNS tunneling is a protocol-level evasion technique that requires dedicated DNS inspection, not just signature-based malware detection.

How to eliminate wrong answers

Option B is wrong because Vulnerability Protection profile is designed to detect and block exploit attempts targeting known vulnerabilities in applications and operating systems, not to analyze DNS traffic for tunneling or exfiltration patterns. Option C is wrong because URL Filtering profile controls access to web categories and URLs based on policy, but it does not inspect the content or structure of DNS queries to identify tunneling behavior. Option D is wrong because Anti-Spyware profile focuses on blocking malware command-and-control (C2) traffic and spyware signatures, but it lacks the deep DNS protocol analysis needed to detect data exfiltration via DNS tunneling.

31
MCQeasy

A company recently deployed a Palo Alto Networks PA-220 firewall to secure outbound web access. The security policies include a rule named 'Allow-Web' with the following configuration: source zone 'Inside', destination zone 'Outside', application 'web-browsing', service 'application-default', action 'allow'. All other traffic is denied by a default deny rule. Users report that they can access most public websites, but they cannot access a partner's website hosted at 203.0.113.50 on TCP port 8080. Connections to this site time out. DNS resolution for the hostname works correctly. The firewall logs show that traffic from internal users to 203.0.113.50:8080 is not matching any rule and is being denied by the default deny rule. Which action should the administrator take to resolve the issue while adhering to security best practices?

A.Add a new rule before 'Allow-Web' that permits traffic to 203.0.113.50 on any port and any application.
B.Change the service in the 'Allow-Web' rule to 'any' to allow web-browsing on any port.
C.Create a custom application that matches TCP port 8080 for the partner's website and add it to the 'Allow-Web' rule alongside 'web-browsing'.
D.Modify the rule to use application 'any' to allow all applications.
AnswerC

This allows App-ID to recognize the traffic on the non-standard port while maintaining granular control.

Why this answer

Option C is correct because the traffic to 203.0.113.50 on TCP port 8080 is not matching the 'web-browsing' application, which by default only recognizes HTTP (TCP 80) and HTTPS (TCP 443). Creating a custom application that matches TCP port 8080 and adding it to the 'Allow-Web' rule allows the firewall to identify and permit this traffic while still enforcing application-based control, adhering to the security best practice of least privilege.

Exam trap

The trap here is that candidates assume 'web-browsing' will match any HTTP-like traffic regardless of port, but Palo Alto Networks App-ID requires explicit application definition for non-standard ports, and simply changing the service or application to 'any' undermines the security model.

How to eliminate wrong answers

Option A is wrong because permitting traffic to 203.0.113.50 on any port and any application bypasses all application and port restrictions, violating the principle of least privilege and potentially allowing malicious traffic. Option B is wrong because changing the service to 'any' would allow web-browsing on any port, but the traffic on TCP 8080 still does not match the 'web-browsing' application definition, so the rule would not permit it. Option D is wrong because modifying the rule to use application 'any' would allow all applications through the rule, completely defeating the purpose of application-based security and exposing the network to unnecessary risks.

32
MCQeasy

Based on the exhibit, what is the role of the rule "Allow_Outbound"?

A.It is a security rule that allows the session.
B.It is a QoS rule that prioritizes the traffic.
C.It is a NAT rule that translates the source IP.
D.It is a decryption rule that decrypts the traffic.
AnswerA

The session matched rule Allow_Outbound, which is a security rule that permitted the session.

Why this answer

Option B is correct. The session output shows that the session matched rule Allow_Outbound, which allowed the session. The rule is a security rule, not a decryption rule (that is decrypted-policy), not NAT rule, not QoS rule.

33
MCQhard

A large enterprise with thousands of security rules wants to reduce rule count without compromising security visibility. The current rules use many specific applications and services. Which strategy should be implemented to consolidate rules effectively?

A.Use only default ports for services to avoid creating service objects.
B.Convert all application-based rules to use service objects instead.
C.Consolidate rules using Security Profile Groups (SPGs) and broader application groups.
D.Place the most specific rules at the top of the rulebase.
AnswerC

SPGs allow multiple rules to reference the same security profiles, reducing rule count while maintaining security posture.

Why this answer

Option D is correct because using Security Profile Groups (SPGs) allows multiple rules to share the same profiles, reducing duplication. Option A is incorrect as using default ports bypasses App-ID. Option B is incorrect because placing specific rules at top does not reduce count.

Option C is incorrect because converting to service objects removes application visibility.

34
MCQeasy

An administrator wants to block traffic from a specific user using User-ID. What is required to identify users in security policies?

A.Deploy SSL decryption to see user credentials.
B.Configure User-ID by integrating with Active Directory or using captive portal.
C.Enable URL Filtering to track user visits.
D.Activate App-ID to detect user login events.
AnswerB

User-ID maps IP addresses to usernames.

Why this answer

Option A is correct because User-ID requires user mapping from AD, captive portal, or other methods. Option B is wrong because URL filtering is separate. Option C is wrong because decryption is not needed for user identification.

Option D is wrong because application identification is different.

35
MCQmedium

A company uses Palo Alto Networks firewall and wants to configure NAT to allow internal users to access the internet using a public IP address pool. Which NAT type should be used?

A.Dynamic IP and Port (DIPP) with source NAT.
B.Bidirectional NAT.
C.Static NAT with source NAT.
D.Destination NAT with port forwarding.
AnswerA

DIPP translates internal IPs to public IPs with port multiplexing, suitable for outbound internet access.

Why this answer

Option A is correct because Dynamic IP and Port (DIPP) allows many internal IPs to share a pool of public IPs using port address translation. Option B is for static 1-to-1 mapping. Option C is for inbound traffic.

Option D is for two-way NAT.

36
MCQeasy

An administrator needs to block all traffic from a specific IP address on the external interface. What is the simplest method?

A.Create a security rule with source zone, source IP, any destination, and action deny, placed at the top of the rulebase.
B.Use a Zone Protection profile to block the IP.
C.Create a security rule with source IP address and action deny.
D.Use a DoS protection policy to block the IP.
AnswerA

This is straightforward and effective; the rule denies traffic from that IP immediately.

Why this answer

Option D is correct because creating a security rule with source zone, source IP, and action deny placed at the top of the rulebase is the direct and simplest method. Option A lacks source zone. Options B and C are more complex and intended for different purposes.

37
MCQhard

Refer to the exhibit. A user from 10.0.0.10 attempts to access an HTTP website hosted on 203.0.113.5 using TCP port 8080. The connection fails. The firewall logs show no session for this traffic. What is the most likely cause?

A.Add a new rule before rule1 with application 'web-browsing' and service 'tcp-8080'.
B.Remove the service restriction from rule1.
C.Create a custom application that matches TCP port 8080 and add it to rule1.
D.Change the application in rule1 to 'any' to match all applications.
AnswerC

A custom application allows App-ID to correctly identify HTTP traffic on non-standard ports, and adding it to the rule allows the traffic.

Why this answer

The firewall rule allows HTTP (port 80) but the client is using TCP port 8080. Since the application is set to 'web-browsing' (which typically matches only port 80), the traffic is not identified as matching that application. Creating a custom application that matches TCP port 8080 and adding it to rule1 allows the firewall to correctly identify and permit the traffic.

Exam trap

The trap here is that candidates assume changing the service to 'any' or removing the service restriction will allow the traffic, but they overlook that the application 'web-browsing' still has a default port binding of 80, so the traffic on port 8080 will not be matched by the rule.

How to eliminate wrong answers

Option A is wrong because adding a new rule before rule1 with application 'web-browsing' and service 'tcp-8080' would still not match the traffic, as 'web-browsing' application is typically defined for port 80, not 8080. Option B is wrong because removing the service restriction from rule1 would allow any service, but the application 'web-browsing' still only matches port 80, so the traffic would not be identified as matching the rule. Option D is wrong because changing the application to 'any' would bypass application identification, which is not a best practice and does not address the need to match the specific port 8080 traffic; the firewall would still need a service or application definition for port 8080.

38
MCQeasy

A network administrator is troubleshooting a connectivity issue. The firewall has a security rule that allows traffic from the Trust zone to the Untrust zone for the subnet 192.168.1.0/24 with application 'web-browsing'. However, users in that subnet cannot access any external websites. The administrator checks the logs and sees that the traffic is being blocked by a rule named 'Deny All' that is listed before the allow rule in the policy order. What is the most likely cause of the problem? The rule order is incorrect; the allow rule is below the 'Deny All' rule. The source address object for the allow rule is misconfigured with a wrong subnet mask. The application 'web-browsing' is not being properly identified by App-ID. The User-ID agent is overriding the allow rule and triggering a block action.

A.The rule order is incorrect; the allow rule is below the 'Deny All' rule.
B.The application 'web-browsing' is not being properly identified by App-ID.
C.The source address object for the allow rule is misconfigured with a wrong subnet mask.
D.The User-ID agent is overriding the allow rule and triggering a block action.
AnswerA

Since the logs show the traffic matches the deny rule, the allow rule must be positioned lower in the rulebase.

Why this answer

Option A is correct because in Palo Alto Networks firewalls, rules are evaluated in top-down order. If the 'Deny All' rule is above the allow rule, it will match first and block traffic. Options B, C, and D are plausible but less likely given the log evidence.

39
MCQmedium

A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?

A.The TCP sequence numbers are out of order, causing the packets to be out of the expected window.
B.The NAT policy is misconfigured, causing the source IP to not be translated correctly.
C.The security policy uses an incorrect service object that doesn't match the application.
D.Asymmetric routing is causing packets to arrive at a firewall that did not see the initial SYN.
AnswerD

Asymmetric routing leads to tcp-non-syn drops because the firewall has no session for the non-SYN packet.

Why this answer

When a firewall sees a non-SYN TCP packet without having seen the initial SYN, it cannot validate the TCP three-way handshake state. This typically occurs with asymmetric routing, where the SYN traverses one firewall and subsequent packets arrive at a different firewall that lacks the session state. The firewall drops these packets with the 'tcp-non-syn' reason because it has no corresponding session entry to associate them with.

Exam trap

The trap here is that candidates often confuse 'tcp-non-syn' with TCP sequence number issues or NAT problems, but the key is recognizing that this drop occurs only when the firewall has no session state, which points directly to asymmetric routing.

How to eliminate wrong answers

Option A is wrong because out-of-order sequence numbers cause 'tcp-out-of-window' drops, not 'tcp-non-syn'; the firewall tracks sequence numbers within the established session window. Option B is wrong because a misconfigured NAT policy would typically cause translation failures or session timeouts, not a 'tcp-non-syn' drop; the firewall would still see the SYN and create a session. Option C is wrong because an incorrect service object would cause a policy match failure or application misidentification, but the firewall would still process the SYN and create a session if the traffic is allowed; the 'tcp-non-syn' drop specifically indicates no prior SYN was seen.

40
Multi-Selectmedium

Which TWO of the following are methods to identify users for User-ID? (Choose two.)

Select 2 answers
A.Captive Portal
B.Kerberos Authentication
C.LDAP Synchronization
D.XML API
E.User-ID Agent
AnswersA, E

Captive Portal authenticates users directly and maps IPs.

Why this answer

Options A and D are correct. User-ID agent collects user mappings from AD; Captive Portal authenticates users directly. LDAP sync is not a method for User-ID; it's a protocol.

XML API can be used but not standard method. Kerberos is not directly used.

41
MCQhard

An organization has a security policy that allows all traffic from the corporate user zone to the internet, but they want to block access to social media sites only for a specific group of users in the HR department. What is the best approach?

A.Create an allow rule for all users, then a deny rule for HR with application social-media.
B.Create a deny rule for the HR user group with application social-media before the allow rule.
C.Use user-ID to identify HR users and create a deny rule with source zone corporate, source user HR, application social-media, action deny, and place it after the allow rule.
D.Use user-ID to identify HR users and create a deny rule with source zone corporate, source user HR, application social-media, action deny, and place it before the allow rule.
AnswerD

This correctly uses user-ID and places the deny before the allow to block HR users' social media traffic.

Why this answer

Option D is correct because rules are evaluated top-down; the deny rule must come before the allow rule to block the targeted users. Option A lacks user-ID. Option B order is wrong.

Option C places deny after allow, so it will never be hit.

42
MCQhard

An organization implements SSL Forward Proxy to decrypt outbound HTTPS traffic, with a security rule that includes Vulnerability Protection and Anti-Malware profiles. Despite this, certain malware downloaded over HTTPS is not being blocked. The administrator observes that the traffic is decrypted and matches the security rule. The decryption policy excludes decryption for financial services category. The malware is delivered from a known malicious domain that is not in the financial services category. The analysis shows that the malware uses a custom packer that is not recognized by the current Anti-Malware signatures. What is the most likely reason the malware bypasses detection? The decryption exclusion list includes the domain of the malware source. The Anti-Malware profile is set to 'default' which may not block unknown malware effectively. The firewall is missing the latest content updates for WildFire. The security rule uses application 'ssl' but not 'web-browsing' for the traffic.

A.The security rule uses application 'ssl' but not 'web-browsing' for the traffic.
B.The firewall is missing the latest content updates for WildFire.
C.The decryption exclusion list includes the domain of the malware source.
D.The Anti-Malware profile is set to 'default' which may not block unknown malware effectively.
AnswerD

The default profile uses only local signatures; without WildFire analysis, new or customized malware can bypass.

Why this answer

Option B is correct because the default malware profile may rely on known signatures and may not detect unknown malware; a profile with WildFire analysis is needed. Option A is incorrect because the domain is not in the excluded category. Option C is plausible but less likely given that the malware uses a custom packer; WildFire would help if enabled.

Option D is incorrect because 'ssl' is the application for decrypted SSL traffic, and 'web-browsing' would also apply if HTTP is used, but the actual application is detected correctly.

43
MCQmedium

Based on the exhibit, what will happen to an HTTPS request from an untrust zone user to destination IP 10.1.1.50?

A.Denied because the source is not specified in Allow_Web.
B.Denied by rule Block_ALL because it is the last rule.
C.Allowed by rule Allow_Web because service tcp/443 matches.
D.Allowed by rule Allow_Web because application ssl matches.
AnswerC

HTTPS uses tcp/443, and the rule allows that service along with application ssl.

Why this answer

Option C is correct. The rule Allow_Web has application ssl which matches HTTPS, and service tcp/443 matches. So the traffic is allowed.

Option A is partially correct but best answer is C because service is explicitly matched. Option B is not hit as the traffic matches Allow_Web first. Option D is incorrect because source is any.

44
MCQhard

A company is implementing SSL Decryption with a forward proxy for outbound traffic. They want to ensure that traffic to sensitive sites like banking is not decrypted. What is the correct configuration?

A.Rely on the browser's security settings to prevent decryption.
B.Disable SSL Decryption globally when the user visits sensitive sites.
C.Use a policy to decrypt only HTTP traffic.
D.Create a decryption exclusion rule for specific URLs or categories.
AnswerD

Decryption exclusion rules allow you to bypass decryption for sensitive destinations.

Why this answer

Option A is correct because decryption exclusion rules can be created for specific URLs or URL categories to bypass decryption. Option B is not practical as it disables decryption globally. Option C is wrong because it decrypts HTTP only, not HTTPS.

Option D is not reliable.

45
MCQhard

A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?

A.A zone protection profile is blocking ICMP packets.
B.The virtual router does not have a default route to the external network.
C.The decryption policy is blocking the traffic because it is not decrypted.
D.The NAT policy is missing for the outbound traffic.
AnswerB

Without a route, the firewall cannot forward packets to the destination.

Why this answer

The most likely cause is that the virtual router lacks a default route to the external network. Even though the security policy permits the traffic, the firewall must have a route in the virtual router's routing table to forward packets toward the destination. Without a default route, the firewall drops the traffic because it cannot determine the next hop for the external server's IP address.

Exam trap

The trap here is that candidates often confuse routing issues with security policy or NAT problems, but the firewall must have a viable route in the virtual router before it can forward any traffic, regardless of policy allowances.

How to eliminate wrong answers

Option A is wrong because a zone protection profile blocks ICMP at the zone level, but the user can already ping the management IP, indicating ICMP is not blocked globally; the issue is routing, not ICMP filtering. Option C is wrong because decryption policies apply to SSL/TLS traffic, not to ICMP ping traffic, and the question states the user is pinging, so decryption is irrelevant. Option D is wrong because a missing NAT policy would affect source address translation but not prevent the firewall from routing the packet; the firewall can still forward traffic without NAT if the destination is reachable, but the core problem here is the lack of a route.

46
MCQeasy

A network administrator wants to allow HTTP and HTTPS traffic from untrust zone to DMZ zone for a web server, but block all other traffic. What is the most efficient way to achieve this with a single rule?

A.Create a security policy with source zone Untrust, destination zone DMZ, application set to web-browsing and ssl, action allow.
B.Create a security policy with source zone Untrust, destination zone DMZ, application default, action allow.
C.Create a security policy with source zone Untrust, destination zone DMZ, service any, application any, action allow.
D.Create a security policy with source zone Untrust, destination zone DMZ, service tcp/80 and tcp/443, action allow.
AnswerA

This uses App-ID to precisely allow only web and SSL traffic, blocking everything else by default.

Why this answer

Option A is correct because using application-based rules is more secure and efficient than service-based. Option B is less secure as it relies on ports. Option C allows all default applications, too broad.

Option D allows all traffic.

47
MCQhard

Traffic between two internal zones is being dropped due to a security policy rule that blocks any traffic. However, the administrator needs to allow specific inter-zone traffic for a critical application. The allowed traffic is sourced from a special IP range. How should the administrator configure the security policy to permit only this traffic while still blocking other traffic?

A.Create a single rule with both allow and deny actions based on source.
B.Place the specific servers in a different zone and create a new policy for that zone.
C.Add a new allow rule above the deny rule that matches the specific traffic.
D.Modify the existing deny rule to allow all traffic.
AnswerC

The allow rule will be evaluated first and permit the traffic before reaching the deny rule.

Why this answer

Option B is correct because a deny rule with an exception can be implemented by placing a specific allow rule before a general deny rule. Option A is wrong because modifying the deny rule to allow would permit all. Option C is wrong because a single rule with allow and deny is not possible.

Option D is wrong because creating a separate zone is unnecessary.

48
MCQmedium

A security administrator configures log forwarding to send threat logs to a central SIEM. The administrator creates a log forwarding profile that includes 'threat' and 'traffic' log types, and applies the profile to several security rules. After verifying, the SIEM receives logs for allowed traffic, but does not receive any logs for denied traffic. The administrator confirms that the deny rules also have the same log forwarding profile applied. What is the most likely cause of the missing denied traffic logs? The log forwarding profile is not configured to forward logs for denied sessions. The SIEM is not configured to receive syslog messages for deny actions. The firewall is logging only at session end and the deny sessions are not completing. The log forwarding profile only includes 'traffic' logs and not 'threat' logs.

A.The log forwarding profile only includes 'traffic' logs and not 'threat' logs.
B.The firewall is logging only at session end and the deny sessions are not completing.
C.The log forwarding profile is not configured to forward logs for denied sessions.
D.The SIEM is not configured to receive syslog messages for deny actions.
AnswerC

Log forwarding profiles can filter by action (e.g., allow, deny). If deny is not included, denied traffic logs won't be forwarded.

Why this answer

Option A is correct because log forwarding profiles can be set to forward different log types, and if the profile does not include 'deny' or 'drop' actions, those logs won't be forwarded. Option B is incorrect because the SIEM receives allowed logs, so syslog is working. Option C is incorrect because denied sessions are still logged at session end.

Option D is incorrect because threat logs are not the same as denied traffic logs; denied traffic logs fall under traffic logs with a deny action.

49
Matchingmedium

Match each PAN-OS component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Handles configuration and logging

Processes traffic and enforces policies

Manages routing and session setup

Aggregates logs from multiple firewalls

Why these pairings

These are the architectural planes of PAN-OS.

50
MCQeasy

A workstation at 10.0.0.5 sends traffic to destination 8.8.8.8. Which NAT rule will be applied?

A.Rule 2: no-nat-for-servers
B.Both rules are applied.
C.No NAT rule matches; traffic is not translated.
D.Rule 1: source-nat-1
AnswerD

Rule 1 matches the source and destination, and since rule 2's destination does not match, rule 1 is applied.

Why this answer

Option A is correct because the traffic matches source range 10.0.0.0/8 and destination does not match the exception rule (8.8.8.8 is not 192.168.1.0/24), so rule 1 is applied and translates the source IP to the interface IP. Option B is wrong because the destination does not match rule 2. Option C is wrong because multiple matches not possible; first match wins.

Option D is wrong because a rule matches.

51
MCQeasy

A firewall administrator wants to ensure that all traffic from the inside zone to the outside zone is inspected for threats, but without causing a bottleneck. Which profile group should be applied to the security rule?

A.URL filtering profile only.
B.Security profile group that includes antivirus, anti-spyware, vulnerability protection, and URL filtering.
C.No profile is needed; default settings suffice.
D.Antivirus profile only.
AnswerB

A security profile group provides layered protection and is optimized for performance.

Why this answer

Option B is correct because a security profile group combines multiple profiles (antivirus, anti-spyware, vulnerability protection, URL filtering) for comprehensive inspection without significant performance impact. Options A and C are incomplete. Option D is wrong as default does not inspect.

52
MCQmedium

A company is using Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection) in their security policies. Malware is still getting through. What is a common misconfiguration that could cause this?

A.The profiles are set to 'alert' instead of 'block' for the critical threat categories.
B.The antivirus signatures are outdated.
C.The security profiles are not attached to any security rule.
D.The profile groups are applied in the wrong order.
AnswerA

Alert only logs, does not block.

Why this answer

Option D is correct because if the profile is applied but set to alert-only, it will not block. Option A is wrong because profiles are applied per rule. Option B is wrong because updating AV does not prevent all.

Option C is wrong because profile order doesn't matter for blocking.

53
MCQmedium

A company is experiencing performance issues due to large amounts of encrypted traffic. They want to offload decryption to a dedicated appliance but still maintain visibility. Which feature should they configure on the Palo Alto Networks firewall?

A.SSL Decryption with a dedicated decryption broker.
B.SSL Forward Proxy with decryption mirroring.
C.Decryption port mirroring.
D.TLS 1.3 decryption.
AnswerA

A decryption broker offloads SSL/TLS decryption to a dedicated appliance, reducing firewall load while maintaining visibility.

Why this answer

Option C is correct because the decryption broker offloads decryption to a dedicated appliance. Option A is decryption mirroring, not offloading. Option B is just a protocol version.

Option D is port mirroring, not decryption offloading.

Ready to test yourself?

Try a timed practice session using only Securing Traffic questions.