CCNA Policy Evaluation Management Questions

57 questions · Policy Evaluation Management topic · All types, answers revealed

1
MCQhard

An administrator wants to use Policy Optimizer to consolidate rules. Which of the following is a prerequisite for using Policy Optimizer on a rule?

A.The rule must have at least one security profile attached.
B.The firewall must have a valid support license.
C.The rule must have logging disabled.
D.The rule must be in the top 10 rules by hit count.
AnswerB

Policy Optimizer is a licensed feature.

Why this answer

Option C is correct because Policy Optimizer requires a valid support license. Options A, B, and D are not prerequisites.

2
MCQmedium

A company needs to restrict access to a critical server from external IP addresses, but internal users should have full access. Which rule structure should be used?

A.Create a deny rule for external IP addresses, then an allow rule for internal.
B.Place the allow rule after the deny rule.
C.Create an allow rule for internal source addresses, then a deny rule for any source.
D.Create a single rule with a 'Deny' action and apply a user-ID condition.
AnswerC

Internal traffic is allowed by the first rule, and all other (external) traffic is denied by the second rule.

Why this answer

Option A is correct because rules are evaluated top-down; placing the internal allow rule first ensures internal traffic is allowed, and then external traffic is denied by the second rule. Option B is wrong because denying external first would also deny internal traffic if it matches the deny rule (if source IP ranges overlap). Option C is wrong because using a single rule cannot differentiate between internal and external sources easily.

Option D is wrong because reverse order would allow external if it matches allow rule.

3
MCQmedium

Refer to the exhibit. The administrator wants to remove unused rules to improve performance. Which rule should be removed?

A.deny-all
B.allow-dns
C.deny-ssh
D.allow-web
AnswerC

This rule has 0 hit count; it is unused and candidate for removal.

Why this answer

Option B is correct because rule 'deny-ssh' has 0 hit count, indicating it is not being used. Option A is wrong because deny-all has 73 hits. Option C is wrong because allow-web has many hits.

Option D is wrong because allow-dns has many hits.

4
Multi-Selectmedium

Which TWO are best practices for managing security policies in a Palo Alto Networks firewall?

Select 2 answers
A.Enable logging on all rules for maximum visibility.
B.Place most specific rules at the top of the rulebase.
C.Use a single 'allow all' rule to simplify management.
D.Regularly review and remove unused rules using hit counts.
E.Disable unused rules instead of removing them.
AnswersB, D

Specific rules should be first to avoid unnecessary matching and ensure intended behavior.

Why this answer

A and C are correct. Placing most specific rules first reduces latency and ensures correct match. Reviewing and removing unused rules improves performance and security.

B is wrong because using a single rule for all traffic is poor practice. D is wrong because disabling rules leaves clutter. E is wrong because logging all sessions can impact performance and storage.

5
MCQhard

An administrator needs to implement a policy where traffic from the 'Sales' zone to the 'Finance' zone is allowed only for the 'ms-office365' application, but traffic from 'Sales' to 'Finance' using any other application must be denied. Which rule design meets this requirement efficiently?

A.Create a rule that denies all traffic from Sales to Finance, and then an application default deny rule that allows ms-office365.
B.Create a rule that allows all traffic from Sales to Finance, then a rule that denies ms-office365.
C.Create a rule that allows ms-office365 from Sales to Finance, and place a deny all rule after it.
D.Create one rule that allows ms-office365 and denies all other traffic from Sales to Finance.
AnswerC

The first rule allows the specific application, and the second deny rule blocks all other traffic.

Why this answer

Option D is correct because a rule allowing the specific application and a subsequent deny rule for other traffic is the simplest and most efficient. Option A is wrong because it allows all and then denies ms-office365, which is opposite. Option B is wrong because application default deny would need explicit deny for other apps.

Option C is wrong because combining allow and deny in one rule is not possible.

6
MCQeasy

How can an administrator quickly identify which security rules are not being used in order to clean up the rulebase?

A.Use the 'show rulebase' command.
B.Check the commit logs for recent changes.
C.Sort rules by rule number in descending order.
D.Use the Policy Optimizer tool to view rule hit counts.
AnswerD

Policy Optimizer shows hit counts, enabling identification of unused rules.

Why this answer

Option A is correct; Policy Optimizer provides rule hit counts. Option B is not a method. Option C shows changes, not usage.

Option D 'show rulebase' alone does not show hits.

7
MCQmedium

A user from 10.0.0.5 tries to access 8.8.8.8 on TCP 443. The traffic is matched to the above rule. Which additional configuration is required for the traffic to be decrypted?

A.A Decryption policy rule matching the same traffic
B.An SSL Forward Proxy certificate installed
C.Both a Decryption policy rule and a Decryption Profile
D.A Decryption Profile with SSL Forward Proxy enabled
AnswerC

Both are necessary to match and execute decryption.

Why this answer

For traffic to be decrypted, a Decryption policy rule must explicitly match the traffic and a Decryption Profile with SSL Forward Proxy enabled must be applied. The rule alone only identifies traffic for potential decryption; the profile defines the decryption method (e.g., SSL Forward Proxy) and controls certificate handling. Without both, the firewall will not perform decryption even if the security rule allows the traffic.

Exam trap

The trap here is that candidates assume a Decryption policy rule alone is enough to decrypt traffic, overlooking that a Decryption Profile must be attached to define the decryption method (e.g., SSL Forward Proxy) and handle certificate validation.

How to eliminate wrong answers

Option A is wrong because a Decryption policy rule alone does not enable decryption; it must reference a Decryption Profile that specifies the decryption type (e.g., SSL Forward Proxy). Option B is wrong because an SSL Forward Proxy certificate is necessary for the firewall to generate on-the-fly certificates, but it is not sufficient without a Decryption policy rule and a Decryption Profile to trigger decryption. Option D is wrong because a Decryption Profile with SSL Forward Proxy enabled cannot be applied to traffic unless a Decryption policy rule first matches the traffic and references that profile.

8
Multi-Selecteasy

An administrator wants to ensure that traffic from the corporate network to the internet is inspected by the firewall's threat prevention features. Which TWO of the following are required to achieve this? (Choose two.)

Select 2 answers
A.Enable decryption to inspect encrypted traffic.
B.Configure NAT policies for outbound traffic.
C.Create a security rule that allows the traffic and includes a security profile group with threat prevention.
D.Ensure the rule's action is set to 'allow'.
E.Use application override to force detection.
AnswersC, D

The rule must allow traffic and apply the threat prevention profile.

Why this answer

Options A and C are correct. A security rule with action 'allow' and a security profile group containing threat prevention is necessary to inspect traffic. Option B is optional for encrypted traffic but not required for all.

Option D is not required for inspection. Option E is not needed.

9
MCQeasy

What does a 'shadowed' rule mean in the context of policy evaluation?

A.A rule that is never evaluated because a previous rule with same or broader match already matches the traffic.
B.A rule that is never hit because it is at the bottom of the rulebase.
C.A rule that is disabled.
D.A rule that matches traffic but has no action configured.
AnswerA

This is the definition of a shadowed rule.

Why this answer

Option D is correct. A shadowed rule is one that is never evaluated because a previous rule with same or broader match already matches the traffic. Option A is wrong because a rule at the bottom is still evaluated if no earlier match.

Option B is not possible. Option C is disabled, not shadowed.

10
Drag & Dropmedium

Drag and drop the steps to configure Active/Passive High Availability on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

HA configuration requires setting up interfaces, mode, priority, peer IP, preemption, and synchronization.

11
MCQhard

An administrator is using Policy Tester to validate a rule before deployment. The rule allows HTTP and HTTPS from user 'John' (IP 10.1.1.10) to server 192.168.1.100. The tester shows 'No match' for traffic from John's IP to the server on port 80. What could be the reason?

A.The rule is placed after a deny rule.
B.The user-ID mapping is incorrect.
C.The rule uses port 443 only.
D.The rule has an application override that is not set to HTTP.
AnswerD

If the rule uses application override, traffic must be identified as the specified application; if not, the rule does not match.

Why this answer

Option A is correct because application override would require the application to be forced; if the rule expects specific applications but traffic is not identified as HTTP, it might not match. Option B is wrong because if the rule allows HTTP, port 80 should be expected. Option C is wrong because user-ID is for user mapping, but if the rule uses user, the tester should have user context.

Option D is wrong because rule ordering is not an issue when testing a specific rule.

12
MCQhard

An administrator notices that traffic from a specific IP 10.10.10.5 is not matching the expected security rule that should allow HTTP traffic. The rule uses a source address object defined as '10.10.10.0/24'. Upon investigation, the administrator finds that the traffic is from IP 10.10.10.5, but the rule still does not match. What is the most likely cause?

A.The traffic is being decrypted by a decryption policy before reaching the security rule.
B.The rule's source zone is set to 'DMZ' instead of 'Internal'.
C.A rule above this rule shadows it, blocking the traffic before evaluation.
D.The source address object is defined with a netmask of /32 instead of /24.
AnswerD

Correct. A /32 netmask means the object matches only the single IP 10.10.10.0, not the entire subnet.

Why this answer

The address object uses a /24 netmask, so it should include .5. However, the object might have been defined with a wrong netmask or the rule is not using the object correctly. In this scenario, the issue is that the address object was accidentally set to /32, which matches only .0.

13
MCQhard

Refer to the exhibit. The administrator sees that traffic from 10.10.1.12 is being denied by rule2. Which action should the administrator take to allow this traffic while maintaining security?

A.Add 10.10.1.12 to rule1's source address.
B.Change rule2 to allow.
C.Create a new rule above rule2 that allows the specific traffic with appropriate security profiles.
D.Move rule2 above rule1.
AnswerC

This targets only the denied traffic while maintaining security profiles.

Why this answer

Option D is correct because creating a new rule above rule2 that specifically allows traffic from 10.10.1.12 (or the appropriate subnet) with proper security profiles will permit the traffic without affecting other rules. Option A would allow all traffic matched by rule2, which might be too broad. Option B would cause rule2 to be evaluated before rule1, potentially denying traffic that should be allowed.

Option C would modify rule1's source, possibly allowing unintended traffic.

14
MCQmedium

A security rule is configured with source zone 'Trust', destination zone 'Untrust', source address 'any', destination address '10.10.10.0/24', application 'ssl', service 'https', action 'allow', log at session end. A user from Trust zone tries to access https://10.10.10.5. The traffic is not matching. What is the most likely reason?

A.The application ssl is not matching because HTTPS traffic may be classified as web-browsing.
B.The action should be 'allow with security profile'.
C.The service https requires TCP 443, but ssl application is used for encryption.
D.The destination address is a specific subnet but the user is accessing a host within that subnet.
AnswerA

HTTPS is web-browsing, not ssl.

Why this answer

Option A is correct; SSL is a VPN/encryption protocol, not HTTPS. HTTPS traffic is typically classified as web-browsing. Option B is wrong because service match works if port matches (TCP 443), but the application mismatch is the issue.

Option C should match. Option D is not needed.

15
MCQeasy

An administrator wants to ensure that all traffic from the engineering zone to the server zone is logged, but only when a session is established. Which log setting should be configured in the security rule?

A.Log at both session start and end
B.No log
C.Log at session end
D.Log at session start
AnswerD

Logging at session start captures the session establishment event.

Why this answer

Option B is correct because logging at session start logs the session creation, which is when it is established. Option A is wrong because end logs only at termination. Option C is wrong because both start and end would log twice.

Option D is wrong because no logging is not useful for auditing.

16
Multi-Selecthard

A firewall administrator is troubleshooting a situation where traffic from the 'Engineering' zone (source zone) to the 'Servers' zone (destination zone) is being allowed, but the desired behavior is to block it. The administrator runs 'show running security-policy' and sees the following rules in order: Rule1: from Engineering to Servers allow; Rule2: from Engineering to Servers deny; Rule3: from any to Servers allow. Which TWO statements are true regarding policy evaluation?

Select 2 answers
A.The traffic will be allowed because Rule1 matches before Rule2.
B.To block the traffic, you can set the source zone in Rule2 to 'Negate' Engineering.
C.Moving Rule2 to the end of the rulebase will ensure it blocks the traffic.
D.The administrator should move Rule2 above Rule1 to block the traffic.
E.The firewall evaluates all rules and applies the most restrictive action (deny).
AnswersA, D

First-match logic: Rule1 matches first, so the action is allow; Rule2 is not evaluated.

Why this answer

Option A is correct because Palo Alto Networks firewalls use first-match policy evaluation: the first rule that matches the traffic's source zone, destination zone, source/destination IP, application, and user determines the action. Since Rule1 (allow) appears before Rule2 (deny), traffic from Engineering to Servers matches Rule1 first and is allowed, regardless of later deny rules.

Exam trap

The trap here is that candidates often assume firewalls use a 'most restrictive wins' model (like some ACL implementations) rather than the first-match model used by Palo Alto Networks, leading them to incorrectly select Option E.

17
MCQeasy

Refer to the exhibit. A security rule is configured with destination address group 'internal-servers'. A packet with destination IP 10.10.20.5 arrives. Will the rule match?

A.Yes, because 10.10.20.5 is within the range of server2.
B.No, because the destination must be a single IP address.
C.Yes, because the address group includes all internal addresses.
D.No, because the address group uses multiple objects.
AnswerA

The IP range in server2 includes 10.10.20.5.

Why this answer

Option A is correct because 10.10.20.5 is within the IP range defined by server2 (10.10.20.1-10.10.20.10). Option B is wrong because address groups can contain multiple objects. Option C is wrong because the group does not include all internal addresses.

Option D is wrong because destination can be a range or subnet.

18
MCQmedium

A security administrator is troubleshooting a rule that appears to be matching correctly but is not allowing traffic. The rule uses source zone 'Trust' and destination zone 'Untrust', and the action is 'allow'. The traffic source is in the 'DMZ' zone. What is the most likely reason the traffic is denied?

A.Security profiles are blocking the traffic.
B.The application is not identified.
C.The source zone of the rule does not match the traffic's ingress zone.
D.The rule is placed after a deny rule.
AnswerC

The rule matches on source zone Trust, but traffic comes from DMZ zone, so the rule does not apply.

Why this answer

Option A is correct because zone mismatch is a common reason; the rule expects Trust zone, but traffic is from DMZ. Option B is wrong because rule order could be issue but zone mismatch prevents match. Option C is wrong because application dependency might cause deny, but the primary reason is zone mismatch.

Option D is wrong because security profiles do not prevent matching.

19
MCQmedium

An organization has a security policy that requires all outbound HTTP traffic from the 'Corporate' zone to the 'Internet' zone to be inspected by the URL Filtering profile. However, the administrator notices that some users can still access blocked categories. What is the most likely cause?

A.The firewall is configured to use DNS sinkholing, which bypasses URL filtering.
B.The rule is placed too low in the rulebase and a higher rule allows traffic without URL filtering.
C.The rule uses a source zone of 'Corporate' but the users are in a different zone.
D.The URL Filtering profile is set to 'alert' instead of 'block' for the relevant categories.
AnswerD

An alert action logs but allows traffic; it does not block.

Why this answer

Option D is correct because if the URL Filtering profile is set to 'alert' instead of 'block' for the relevant categories, the firewall will log the violation but still allow the traffic to pass. This means users can access blocked categories even though the rule is correctly applied, as the profile does not enforce a blocking action.

Exam trap

The trap here is that candidates often assume a rule with a URL Filtering profile automatically blocks traffic for blocked categories, but they overlook that the profile's per-category action must be set to 'block' to actually deny the traffic.

How to eliminate wrong answers

Option A is wrong because DNS sinkholing is a technique used to redirect malicious DNS queries to a sinkhole IP, not to bypass URL filtering; it actually enhances security by preventing access to known malicious domains. Option B is wrong because if the rule were placed too low and a higher rule allowed traffic without URL filtering, the higher rule would match first and the traffic would not reach the rule with URL filtering, but the question states the rule is applied and users can still access blocked categories, implying the rule is being matched. Option C is wrong because if the users were in a different zone, the rule with source zone 'Corporate' would not match their traffic at all, and they would not be subject to the URL filtering profile; however, the administrator notices that some users can access blocked categories, suggesting the rule is matching but not enforcing the block.

20
MCQeasy

Refer to the exhibit. A user on the Sales subnet (10.10.1.50) attempts to browse to an external website using HTTP (port 80) to download a legitimate file. The website's IP is 203.0.113.50. Which rule will match this traffic?

A.Rule 4 (Allow-DNS)
B.Rule 3 (Block-Restricted-Apps)
C.Rule 2 (Allow-Any-Web)
D.Rule 1 (Allow-Sales-to-App)
AnswerC

Rule 2 matches any source and destination, with application web-browsing and service tcp/80, so it matches this HTTP traffic.

Why this answer

Rule 2 (Allow-Any-Web) is correct because it is a broad rule that permits HTTP (port 80) traffic from any source to any destination, which matches the user's attempt to browse to an external website. The traffic originates from the Sales subnet (10.10.1.50) and targets IP 203.0.113.50 on port 80, and since no more specific rule (like Rule 1) matches the destination, Rule 2 applies as the first general web access rule.

Exam trap

Palo Alto Networks often tests the first-match rule evaluation order, where candidates mistakenly think a more specific source rule (like Rule 1 for Sales) will always match, but they overlook that the destination must also match, causing them to pick the wrong rule.

How to eliminate wrong answers

Option A is wrong because Rule 4 (Allow-DNS) is designed for DNS traffic (UDP/TCP port 53), not HTTP (port 80), so it would not match the user's web browsing. Option B is wrong because Rule 3 (Block-Restricted-Apps) is a block rule for specific applications, not a general HTTP allow rule, and the traffic is a legitimate file download, not a restricted app. Option D is wrong because Rule 1 (Allow-Sales-to-App) likely permits traffic from the Sales subnet to a specific application or server, but the destination IP 203.0.113.50 is an external website, not the intended app, so it does not match.

21
MCQhard

A company has a Palo Alto Networks firewall in production. They recently configured a new security policy rule to allow outbound HTTPS traffic from the internal network (10.0.0.0/8) to the internet. The rule is placed after a block rule that denies all traffic from 10.0.0.0/8 to any external destination. After committing, users report that HTTPS access is still blocked. The administrator checks the firewall logs and sees that the traffic is being denied by the block rule. The administrator verifies the rule order: the new allow rule is at position 5, and the block rule is at position 3. The administrator also checks that the source zone (Trust) and destination zone (Untrust) are correct. What is the most likely cause of the issue?

A.There is a NAT policy that is interfering with the allow rule.
B.The allow rule has an incorrect application (e.g., ssl instead of web-browsing).
C.The allow rule has the wrong source address (e.g., 10.0.0.0/8 is correct).
D.The allow rule is placed below the block rule, so the block rule is evaluated first.
AnswerD

Firewall rules are processed top-down; the block rule at position 3 matches before the allow rule at position 5.

Why this answer

The Palo Alto Networks firewall evaluates security policy rules in sequential order from top to bottom. Since the block rule at position 3 is evaluated before the allow rule at position 5, traffic matching the block rule is denied immediately, and the allow rule is never reached. This is the most likely cause of the issue, as the rule order directly determines which rule is applied first.

Exam trap

The trap here is that candidates may focus on misconfigurations like NAT or application settings, overlooking the fundamental rule order evaluation in PAN-OS, which is a common point of confusion in the PCNSA exam.

How to eliminate wrong answers

Option A is wrong because NAT policies are evaluated after security policy rules in PAN-OS, so a NAT policy cannot interfere with the security rule evaluation order. Option B is wrong because the application specified in the allow rule (e.g., ssl vs. web-browsing) does not affect the rule order; the block rule would still be evaluated first regardless of the application. Option C is wrong because the source address being correct does not change the fact that the block rule is evaluated before the allow rule due to its higher position.

22
MCQeasy

A company wants to block file-sharing applications like BitTorrent, but allow HTTP and HTTPS. Which type of policy is most appropriate to achieve this granular control?

A.Security policy with application-ID.
B.Decryption policy.
C.Security policy with service only.
D.Policy-based forwarding.
AnswerA

Application-ID enables control over specific applications regardless of port.

Why this answer

Option A is correct because application-ID allows granular control over applications, not just ports. Option B only uses port/protocol, not application. Option C is for path selection.

Option D is for decryption.

23
MCQmedium

A network administrator is tasked with implementing a policy that allows traffic from the 'Sales' zone to the 'Internet' zone only for web-browsing (application: web-browsing) and blocks all other traffic. The administrator creates a rule at the top of the security policy with source zone Sales, destination zone Internet, application web-browsing, action allow. Below that, a rule with source zone Sales, destination zone Internet, application any, action deny. After committing, users in Sales can browse the web normally. However, the administrator discovers that some users are able to use applications like YouTube and Facebook which use web-browsing as part of their app-id. The administrator wants to ensure that only HTTP/HTTPS traffic for general web browsing is allowed, not other web-based applications. What should the administrator do?

A.Change the allow rule's application to include only HTTP and HTTPS.
B.Use URL filtering to block the social networking and streaming media categories.
C.Add a custom application filter to block social media applications.
D.Change the deny rule to block social media applications.
AnswerB

Correct. URL filtering by category allows general web browsing while blocking specific types of sites like social media and video streaming.

Why this answer

Using URL filtering to block social media categories is effective and does not interfere with general web browsing. Changing the allow rule's application to HTTP/HTTPS would still allow Facebook and YouTube because they use HTTPS. Custom application filters or deny rules are less precise or affect allowed traffic.

24
MCQmedium

An administrator wants to require users in the Internal zone to authenticate via User-ID before accessing the Internet. Which policy configuration is necessary to enforce this requirement?

A.Create an authentication policy that maps users to roles.
B.Configure a captive portal on the firewall to prompt for credentials.
C.Enable User-ID on the Internal zone under Zone properties.
D.Configure a security rule with a user-id condition set to 'known-user' and action 'allow' with 'require authentication' selected.
AnswerD

Correct. The 'require authentication' option in a security rule forces users to authenticate before the rule is applied.

Why this answer

To require authentication, the security rule must include a user-id condition with the 'require authentication' action.

25
Multi-Selectmedium

Which THREE actions can be taken based on hit counts in security rules? (Select three.)

Select 3 answers
A.Identify unused rules for cleanup
B.Create dynamic updates to rules
C.Prioritize rule optimization efforts
D.Troubleshoot traffic mis-matches
E.Determine rule shadowing
AnswersA, C, D

Correct. Rules with zero or very low hit counts are candidates for removal.

Why this answer

Hit counts help identify unused rules, prioritize optimization, and troubleshoot traffic matching issues.

26
Multi-Selectmedium

Which TWO statements correctly describe best practices for managing security policies in Palo Alto Networks firewalls? (Choose two.)

Select 2 answers
A.Enable logging on all rules to ensure complete audit trails.
B.Use zone-based policies instead of IP-based policies whenever possible.
C.Sort rules alphabetically by name to simplify rulebase navigation.
D.Disable unused rules rather than deleting them to preserve rule order for future use.
E.Use service objects based on TCP/UDP ports to define application traffic.
AnswersB, D

Zone-based policies are more scalable and easier to manage.

Why this answer

Option B is correct because zone-based policies reduce complexity and improve scalability by grouping interfaces into security zones, allowing policies to be applied based on traffic direction (e.g., from Trust to Untrust) rather than individual IP addresses. This aligns with Palo Alto Networks' best practice of using zones to simplify rule management and enhance security posture, as IP-based policies become unmanageable in dynamic environments.

Exam trap

The trap here is that candidates often confuse 'best practices' with 'common practices'—for example, assuming logging on all rules is always good for auditing, or that sorting rules alphabetically aids navigation, without understanding the performance and security implications of rule order and log volume in Palo Alto Networks firewalls.

27
Multi-Selectmedium

Which THREE are valid methods to test security policy effectiveness before deployment?

Select 3 answers
A.Check rule hit counts after applying the policy to a small subset of users.
B.Disable the policy and monitor traffic.
C.Use packet capture (PCAP) to analyze traffic.
D.Deploy the policy in a lab environment and review traffic logs.
E.Use the Policy Tester tool in the web interface.
AnswersA, D, E

Monitoring hit counts helps confirm if rules are matching as expected.

Why this answer

A, C, and D are correct. Policy Tester is a built-in tool to simulate traffic. Rule hit counts after deployment provide feedback.

Reviewing logs from lab environment tests effectiveness. B is wrong because disabling the policy is not a test method. E is wrong because packet capture is a troubleshooting tool, not a policy test.

28
MCQeasy

An administrator is reviewing the rulebase and finds a rule with a hit count of 0 over the past 30 days. What action should the administrator consider?

A.Move the rule higher in the rulebase.
B.Consider removing the rule as it is not being used.
C.Increase the log setting to capture more data.
D.Disable the rule to see if any traffic matches.
AnswerB

A rule with zero hits for a long period indicates it is not needed and can be removed.

Why this answer

Option B is correct because a rule with no hits is unused and can be cleaned up to improve policy performance. Option A is wrong because increasing logging won't help if the rule is not matching. Option C is wrong because moving the rule higher won't cause matches if the rule doesn't match traffic.

Option D is wrong because disabling the rule is not as good as removal for cleanup.

29
MCQeasy

A security administrator notices that a newly added security rule, designed to allow SSH traffic from the engineering department to a Linux server, is not being matched. The rule is placed above an existing 'deny all' rule. What is the most likely cause?

A.The rule is placed below the deny all rule.
B.The rule's source zone or address does not match the engineering department traffic.
C.The rule has a low hit count.
D.The rule is placed after the deny all rule.
AnswerB

Misconfigured source zones or addresses prevent the rule from matching the intended traffic.

Why this answer

Option B is correct because if the zone or source address is misconfigured, the traffic will not match the intended rule and will be matched by later rules. Option A is wrong because rule ordering is correct (rule above deny all). Option C is wrong because hit count is irrelevant to the cause of no match.

Option D is wrong because the rule is placed in the correct position.

30
Multi-Selectmedium

A security administrator notices that traffic from an internal user to a specific external web application is being blocked unexpectedly. The user's IP is 10.10.1.50 and the destination is 203.0.113.5 on port 443. The administrator has already verified that there is a security rule allowing the traffic. Which two logs should the administrator check first to diagnose the issue?

Select 2 answers
A.Check the Traffic log and the URL Filtering log.
B.Check the Threat log for any intrusion prevention signatures that matched the traffic.
C.Check the System log for configuration changes that might have added a rule.
D.Check the HIP Match log to see if the user's device lacks required security software.
AnswersA, B

The Traffic log shows whether a rule allowed or denied the traffic; the URL Filtering log shows if a URL filtering profile blocked the request. These two together can identify the blocking cause.

Why this answer

Option A is correct because when a security rule explicitly allows traffic but the traffic is still blocked, the issue often lies in a secondary policy layer. The Traffic log will show whether the session was denied or allowed, and if allowed, the URL Filtering log can reveal that the destination URL was categorized as blocked by the URL filtering profile, even though the security rule permits the traffic. This is a common scenario where the security rule permits the session but a URL filtering profile applied to that rule blocks the specific web application.

Exam trap

Palo Alto Networks often tests the misconception that a security rule allowing traffic guarantees the traffic will pass, but the trap here is that secondary policies like URL filtering profiles can override the security rule action, so candidates must check both the Traffic log and the URL Filtering log first.

31
MCQmedium

An administrator is troubleshooting why a rule is not being hit. The rule has source zone Trust, destination zone Untrust, source address 10.0.0.0/8, destination address any, application web-browsing, action allow, and log at session end. The traffic is coming from 10.1.1.1 to 1.2.3.4 on port 80, zone Trust to Untrust. The rule count shows zero hits. What could be the issue?

A.The application must be set to 'any'.
B.The application is incorrectly identified; perhaps the traffic is using a different app.
C.The log setting is preventing hits.
D.The destination address is too broad.
AnswerB

If the firewall classifies the traffic as another application, the rule won't match.

Why this answer

Option C is correct because the rule specifically allows web-browsing; if the traffic is classified as a different application, it won't match. Option A is not an issue; destination any is fine. Option B is not needed.

Option D is false; log setting does not affect hit count.

32
Multi-Selectmedium

A security administrator is analyzing the rulebase for best practices. Which TWO of the following are recommended practices for security policy management? (Choose two.)

Select 2 answers
A.Disable logging for frequently matched rules to improve performance.
B.Place more specific rules above more general rules.
C.Create a single rule for each application to simplify management.
D.Use the 'intrazone-default' rule to allow all traffic in the same zone.
E.Use security profile groups to consistently apply profiles.
AnswersB, E

This is a fundamental best practice to ensure specific rules are evaluated first.

Why this answer

Options A and D are correct. Placing specific rules above general rules ensures proper matching. Using security profile groups ensures consistent application of profiles.

Option B is wrong because using intrazone-default to allow all intra-zone traffic is not recommended. Option C is wrong because logging should be enabled for security events. Option E is wrong because creating a rule per application leads to excessive rules.

33
MCQhard

An administrator configures a security policy with three rules in order: Rule1 allows any to any with log at session start, Rule2 allows HTTP from trust to untrust, Rule3 denies any. Traffic from an internal user to an external web server is logged as allowed. Which rule processed the traffic?

A.Rule1
B.Rule3
C.Rule2
D.No rule matched
AnswerA

Rule1 matches all traffic and is the first rule, so it processes the traffic.

Why this answer

Option A is correct because the first matching rule is applied; even though Rule2 is more specific, Rule1 matches first and allows the traffic. Option B is wrong because Rule2 is after Rule1. Option C is wrong because Rule3 would deny, but traffic was allowed.

Option D is wrong because the traffic matched a rule.

34
MCQhard

Refer to the exhibit. Traffic from Sales zone to Finance zone reaches destination 10.10.10.10 using application 'ssl'. What action does the firewall take?

A.The firewall will continue to the next rule
B.Allow
C.Deny
D.Allow only if no security profile blocks it
AnswerC

Traffic does not match the first rule (application mismatch), so it matches the second rule and is denied.

Why this answer

Option A is correct because the first rule only matches 'ms-office365' application; 'ssl' does not match, so it goes to the second rule which denies any application. Option B is wrong because the first rule does not allow ssl. Option C is wrong because the deny rule will block it.

Option D is wrong because the firewall does not need more rules; it has a deny all rule.

35
Multi-Selecteasy

Which TWO methods can be used to help prevent rule shadowing? (Select two.)

Select 2 answers
A.Using rule hit counts
B.Placing more specific rules above general rules
C.Using policy optimizer reports to reorder rules
D.Using dynamic address groups
E.Using rule order analysis tools
AnswersB, C

Correct. This ensures specific rules are evaluated first, reducing the chance they are shadowed.

Why this answer

Placing more specific rules above general rules prevents rule shadowing by ensuring that traffic matching a specific condition is evaluated and permitted or denied by the intended rule before reaching a broader rule that might otherwise match it. In Palo Alto Networks firewalls, rule evaluation is first-match, so a general rule placed above a specific rule will shadow the specific rule, making it unreachable. This ordering principle directly addresses the root cause of shadowing.

Exam trap

The trap here is that candidates often confuse detection tools (like rule order analysis or hit counts) with prevention methods, but the question specifically asks for methods that help prevent shadowing, which requires proactive ordering or reordering of rules.

36
MCQhard

A firewall administrator is tasked with implementing a policy that allows SSH access from the 'Admin' zone to the 'Core' zone only for specific administrators, and all other SSH attempts should be logged and dropped. The company has a large number of administrators. Which method is most efficient and scalable?

A.Create a single rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user 'any', action 'allow' and enable logging.
B.Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user set to an LDAP group containing the administrators, action 'allow', and a second rule with same match criteria but action 'drop' and log at end.
C.Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', action 'allow', and rely on the firewall's default deny rule for others.
D.Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source address list of all administrators' IPs, action 'allow', and a catch-all drop rule.
AnswerB

User-ID integration allows scalable user-based policies.

Why this answer

Option B is correct because it uses an LDAP group as the source user attribute, which allows dynamic membership management without manual IP updates. The first rule permits SSH for the group, and the second rule logs and drops all other SSH attempts, ensuring only authorized administrators are allowed while unauthorized attempts are recorded for auditing. This approach is scalable for a large number of administrators because it leverages user-based policies rather than IP-based rules.

Exam trap

The trap here is that candidates often choose Option A, thinking that logging all SSH attempts is sufficient, but they overlook the requirement to restrict access to specific administrators, which necessitates a user-based filter rather than allowing all users.

How to eliminate wrong answers

Option A is wrong because setting source user to 'any' would allow all users from the Admin zone to access the Core zone via SSH, violating the requirement to restrict access to specific administrators only. Option C is wrong because relying on the default deny rule would silently drop unauthorized SSH attempts without logging them, failing the requirement to log and drop all other SSH attempts. Option D is wrong because using a source address list of all administrators' IPs is not scalable for a large number of administrators, as it requires manual updates whenever an administrator's IP changes or new administrators are added, and it does not leverage user-based identification.

37
MCQmedium

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

A.The rule only allows traffic from Engineering to Servers zone, not DMZ.
B.The rule is configured as an intrazone rule.
C.The rule is disabled in the rulebase.
D.SSL decryption is blocking the traffic.
AnswerA

The rule explicitly allows Engineering to Servers; traffic to DMZ is not covered and is denied by default.

Why this answer

The security rule explicitly permits traffic from the 'Engineering' zone to the 'Servers' zone. Traffic destined to the 'DMZ' zone is a different zone, so the rule does not apply. By default, Palo Alto Networks firewalls enforce a deny-all policy for any traffic that does not match an explicit allow rule, which is why the traffic is denied.

Exam trap

The trap here is that candidates may assume a rule allowing traffic to one zone implicitly covers all zones, but Palo Alto Networks firewalls require explicit zone matching for each rule, and failing to specify the correct destination zone results in a deny.

How to eliminate wrong answers

Option B is wrong because an intrazone rule controls traffic within the same zone, not between different zones; the scenario involves interzone traffic from Engineering to DMZ. Option C is wrong because if the rule were disabled, it would not affect traffic to the Servers zone either, and the question states the rule allows traffic to Servers, implying it is enabled. Option D is wrong because SSL decryption is a separate feature that can inspect encrypted traffic but does not inherently block traffic; it would only affect traffic if a decryption policy explicitly denies or fails to decrypt, and there is no indication of SSL decryption involvement.

38
MCQeasy

A network administrator adds a new security rule allowing HTTP from the Trust zone to the Untrust zone. After committing, traffic from the Trust zone to the Untrust zone is still blocked. What is the most likely cause?

A.The source zone in the new rule is set to 'Untrust' instead of 'Trust'.
B.The application in the new rule is set to 'ssl' instead of 'http'.
C.The new rule is placed at the bottom of the policy, below an existing deny rule that matches the same traffic.
D.The destination zone in the new rule is set to 'Trust' instead of 'Untrust'.
AnswerC

Correct. Policy evaluation is top-down, so a deny rule above the allow rule will block traffic.

Why this answer

This is the most common cause because security policies are evaluated top-down, and an existing deny rule placed above the new allow rule will match first and block the traffic.

39
MCQeasy

A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?

A.Allow the traffic because rule 1 matches and allows all web traffic.
B.Allow the traffic because rule 3 allows all traffic.
C.Deny the traffic because no rule allows social-networking.
D.Deny the traffic because rule 2 matches and denies social-networking.
AnswerD

Rule 2 explicitly denies social-networking.

Why this answer

The firewall evaluates rules in order from top to bottom. Rule 2 explicitly denies the application 'social-networking', and since the user at 192.168.1.10 is attempting to access a social-networking site, rule 2 matches before any subsequent rule. Therefore, the traffic is denied.

Option D is correct because rule 2 matches and denies the traffic.

Exam trap

The trap here is that candidates may assume a more permissive rule later in the policy (like rule 3 allowing all traffic) will override an earlier deny rule, but the firewall's first-match logic means the deny rule takes precedence.

How to eliminate wrong answers

Option A is wrong because rule 1 allows all web traffic, but the firewall processes rules sequentially and rule 2 (which denies social-networking) is evaluated before rule 3, so rule 1 does not apply to this traffic. Option B is wrong because rule 3 allows all traffic, but it is only reached if no earlier rule matches; since rule 2 matches and denies the traffic, rule 3 is never evaluated. Option C is wrong because rule 2 explicitly denies social-networking, so there is a rule that denies it; the traffic is denied due to rule 2, not because no rule allows it.

40
MCQeasy

A small business has a Palo Alto Networks firewall with a single security policy rule that allows all traffic from the 'Trust' zone to the 'Untrust' zone. The business recently experienced a malware infection originating from an internal host that communicated with known malicious IP addresses. The administrator wants to implement a security policy to block traffic to these malicious IP destinations. The administrator has a list of 500 malicious IP addresses that may change frequently. What is the most efficient way to create a policy to block traffic to these IPs?

A.Create a security rule with an address group containing the 500 IPs as destination, action deny, placed above the allow rule.
B.Create a security rule with source zone Trust, destination zone Untrust, source address list containing the 500 IPs, action deny.
C.Create an External Dynamic List (EDL) of the malicious IPs and reference it in a security rule as destination address, with action deny, placed above the allow rule.
D.Create a security rule with source zone Trust, destination zone Untrust, destination address list containing the 500 IPs as separate address objects, action deny, placed above the allow rule.
AnswerC

Correct. EDLs simplify management and allow automatic updates, making them the most efficient choice for frequently changing lists.

Why this answer

External Dynamic Lists (EDLs) are designed to manage large, frequently updated lists of IP addresses. They integrate with security rules and can be updated automatically, minimizing administrative overhead.

41
Multi-Selecthard

Which TWO factors affect the order in which security rules are evaluated?

Select 2 answers
A.Application used in the rule.
B.Rule hit count.
C.Whether the rule is intra-zone or inter-zone.
D.Rule position in the rulebase (top-down).
E.Rule action (allow or deny).
AnswersC, D

Intra-zone rules are evaluated before inter-zone rules in the same policy set.

Why this answer

A and B are correct. Rule priority is determined by its position (top-down). Intra-zone vs inter-zone rules are evaluated separately in their respective sections.

C is wrong because hit count does not affect order. D is wrong because rule type (allow/deny) does not determine evaluation order. E is wrong because application does not change evaluation order.

42
MCQeasy

A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?

A.The source IP is negated in the rule.
B.The rule is placed at the top of the rulebase and overridden by a later rule.
C.The rule is positioned below an allow rule that matches the same traffic.
D.The rule is disabled in the rulebase.
AnswerC

First match wins, so the allow rule matches before the block rule.

Why this answer

Option C is correct because the Palo Alto Networks firewall evaluates security rules in top-down order, from the first rule in the rulebase to the last. If a rule that allows traffic is placed higher in the list, it will match and permit the traffic before the lower-placed block rule is ever evaluated. The block rule at the bottom is effectively never reached for that traffic, which is why the intended blocking action fails.

Exam trap

The trap here is that candidates may think rule order does not matter or that a block rule can override an allow rule regardless of position, but Palo Alto Networks enforces strict top-down evaluation where the first match wins, so a lower rule cannot override a higher rule's action.

How to eliminate wrong answers

Option A is wrong because negating the source IP in the rule would mean the rule matches traffic from any IP except the specified one, which would not block the intended IP; however, the question states the rule is intended to block a specific IP, and the issue is the rule's position, not its logic. Option B is wrong because if the rule were at the top of the rulebase, it would be evaluated first and would not be overridden by a later rule (Palo Alto Networks uses first-match, not last-match, semantics). Option D is wrong because a disabled rule is simply skipped during evaluation and would not cause traffic to be allowed by a higher rule; the traffic would still be evaluated against other enabled rules in order.

43
MCQhard

After a policy change, a security administrator commits the candidate configuration, but the changes do not take effect immediately for all users. Some users report connectivity issues while others do not. What should the administrator check first?

A.The new rule has an incorrect source zone.
B.There is a mismatch between the virtual wire vs layer3 interface.
C.The committed configuration is still in candidate state.
D.The commit was successful but the changes are applied only to new sessions, not existing sessions.
AnswerD

Policy changes only affect new sessions; existing sessions continue with the old policy until they timeout.

Why this answer

Option D is correct because policy changes affect new sessions; existing sessions continue with old policy until timeout. Option A is false; commit finalizes the configuration. Option B is not related.

Option C would affect all users, not some.

44
MCQmedium

A company wants to block all traffic from the Guest zone to the Corporate zone except DNS. What is the best practice for configuring the security policy?

A.Create a deny rule for any traffic from Guest to Corporate, placed above an allow rule for DNS.
B.Rely on the interzone default rule, which blocks all traffic, and add a rule to allow DNS.
C.Create an allow rule for DNS from Guest to Corporate, placed above a deny rule for any other traffic.
D.Create a universal rule that applies to all zones with action 'allow' for DNS and 'deny' for everything else.
AnswerC

Correct. Placing the specific allow rule above the general deny rule ensures DNS is allowed and all else is blocked.

Why this answer

Best practice is to place the allow rule before the deny rule to ensure permitted traffic is not blocked by a broader deny rule.

45
Multi-Selecteasy

Which TWO are required to configure a Forward Proxy Decryption rule?

Select 2 answers
A.A Certificate
B.A Decryption Profile
C.A Destination Zone
D.A Source Zone
E.A URL Category
AnswersA, B

A certificate is required to impersonate the destination server.

Why this answer

A certificate is required for a Forward Proxy Decryption rule because the firewall must generate and sign a certificate on-the-fly to impersonate the destination server to the client. Without a valid certificate (typically from an internal CA or a decryption-specific CA), the client browser will reject the connection with a certificate error. The certificate is used to establish a trusted TLS session between the client and the firewall, allowing the firewall to decrypt and inspect the traffic.

Exam trap

Palo Alto Networks often tests the distinction between mandatory and optional fields in decryption rules, leading candidates to mistakenly include source or destination zones as required when they are actually optional filters.

46
MCQmedium

An administrator needs to apply a security profile that includes anti-malware and vulnerability protection to all traffic from the internal network to the internet. However, there is already a rule that allows this traffic without any profiles. What is the most efficient way to apply the profiles?

A.Create a new rule above the existing rule with the profiles and action 'deny'.
B.Remove the existing rule and replace it with a new rule that includes the profiles.
C.Create a new rule above the existing rule with the profiles and action 'allow', and ensure the rule is before the existing allow rule.
D.Edit the existing rule to add the security profiles.
AnswerC

This ensures the new rule matches first and applies profiles.

Why this answer

Option C is correct because creating a new rule above the existing rule with the profiles and action 'allow' will match first and enforce the profiles without modifying the existing rule. Option A is also possible but less efficient if the existing rule is complex. Option B would block traffic.

Option D is disruptive.

47
MCQmedium

A network administrator notices that traffic from a specific subnet is being denied even though there is a permit rule that matches the source and destination. The rulebase has over 500 rules. What is the most likely cause?

A.The destination NAT is causing asymmetric routing.
B.The rule is too far down in the rulebase and a previous implicit deny is blocking.
C.A previous rule with a broader match is denying the traffic before reaching the permit rule.
D.The application override is misconfigured.
AnswerC

A rule with deny and broader match earlier in rulebase will block traffic.

Why this answer

Option B is correct because rule order matters; a previous rule with a broader match and deny action will block traffic before reaching the permit rule. Option A is wrong because the implicit deny is at the end, but rules above can deny. Option C is irrelevant; application override does not cause denial.

Option D is about NAT, not denial.

48
Matchingmedium

Match each security rule type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Blocks known attack patterns

Controls access to websites

Prevents transfer of specific file types

Prevents sensitive data exfiltration

Why these pairings

These are rule types in Security policies.

49
MCQmedium

A company is migrating from a legacy firewall to a Palo Alto Networks firewall. The legacy policy has many rules with overlapping source and destination objects. Which feature should the administrator use to simplify the policy before migration?

A.Policy Optimizer
B.WildFire
C.Application Override
D.User-ID
AnswerA

Policy Optimizer identifies unused and redundant rules and suggests optimizations.

Why this answer

Option C is correct because Policy Optimizer analyzes existing rules and suggests merging or removing redundant rules. Option A is wrong because Application Override is not used for simplifying rules. Option B is wrong because WildFire is a threat analysis cloud.

Option D is wrong because User-ID maps users to IPs, not simplify rules.

50
MCQmedium

Refer to the exhibit. An administrator is analyzing the rulebase. Traffic from source 10.1.1.5 to destination 8.8.8.8 using web-browsing application (HTTP TCP/80). Which rule will match?

A.rule3.
B.rule2.
C.rule1.
D.None, because rule1 and rule2 have specific applications.
AnswerA

rule3 matches the traffic because source subnet includes 10.1.1.5 and application any.

Why this answer

Option B is correct because rule3 has source 10.1.1.0/24 and application any, matching the traffic. rule1 does not match because it only allows ssl application. rule2 does not match because its source is 10.1.0.0/24, which does not include 10.1.1.5. Therefore, rule3 is the first matching rule, and it denies the traffic.

51
MCQhard

A network engineer needs to ensure that all traffic from the 'Guest' zone to the 'Internet' zone is inspected for malware, but also wants to allow high-bandwidth video conferencing traffic to bypass threat inspection for performance reasons. Which approach best achieves this?

A.Create two rules: one for general traffic with 'allow' action and a 'threat' profile, and a higher-priority rule for video conferencing traffic with 'allow' action and no threat profile.
B.Create a single rule with 'allow' action and no security profiles, and rely on the firewall's default behavior to inspect malware.
C.Create a single rule with 'allow' action and a 'threat' profile applied, and rely on the firewall's ability to skip inspection for video traffic automatically.
D.Use policy-based forwarding to route video traffic to a separate interface that has no security profiles.
AnswerA

This allows selective bypassing of threat inspection for video traffic while inspecting the rest.

Why this answer

Option A is correct because it uses two security rules with different priorities: a higher-priority rule for video conferencing traffic with an 'allow' action and no threat profile to bypass inspection, and a lower-priority rule for general traffic with an 'allow' action and a threat profile to enforce malware inspection. This leverages the firewall's rule-ordering logic, where the first matching rule is applied, allowing selective bypass of threat inspection for specific traffic while maintaining security for other traffic.

Exam trap

The trap here is that candidates may assume the firewall can automatically detect and exempt video traffic from inspection without explicit rule configuration, or that a single rule with a threat profile can be configured to skip inspection for certain applications, but Palo Alto firewalls require separate rules or profile exceptions to achieve selective bypass.

How to eliminate wrong answers

Option B is wrong because creating a single rule with no security profiles would allow all traffic without any threat inspection, failing to meet the requirement to inspect general traffic for malware. Option C is wrong because firewalls do not automatically skip threat inspection for video traffic based on traffic type alone; a specific rule or profile exception must be configured. Option D is wrong because policy-based forwarding (PBF) is used to route traffic based on policies, not to selectively apply or bypass security profiles; it would add unnecessary complexity and does not directly control threat inspection on the same interface.

52
Multi-Selecthard

An administrator is troubleshooting why a policy is not being matched. Which THREE of the following are valid reasons a security rule might not be hit? (Choose three.)

Select 3 answers
A.The traffic does not match the source zone specified.
B.The rule has a high hit count.
C.The rule has a log forwarding profile configured.
D.The rule is in a disabled state.
E.The rule's action is set to drop.
.The destination address object is not in the rule's referenced address group.
AnswersA, D

If source zone differs, the rule is not evaluated.

Why this answer

Options B, E, and F are correct. Option B: if the source zone does not match, the rule is skipped. Option E: a disabled rule is not evaluated.

Option F: if the traffic's destination IP is not in any address object in the rule's address group, the rule does not match. Option A is wrong because a high hit count indicates it is being hit. Option C is wrong because even if the action is drop, the rule is still matched (and drops).

Option D is wrong because log forwarding does not affect matching.

53
MCQhard

A company has multiple branch offices connected via IPsec tunnels to a central datacenter. The central datacenter has a PA-5250 running PAN-OS 10.1. The security team wants to enforce that traffic between branches is inspected by the central firewall, not directly between branches. They configure security policies to allow inter-branch traffic through the central firewall. However, they notice that traffic between two branches (Branch A and Branch B) is not traversing the central firewall and is instead going directly between the branches via the IPsec tunnels which are configured as route-based VPNs. The security team has verified that the security policies are correctly configured to require the traffic to go through the central datacenter. What is the most likely cause?

A.The IPsec tunnel between branches is configured with a higher metric than the tunnel to the central firewall.
B.The security policy rules are not in the correct order; a rule allowing direct traffic is matched first.
C.The route-based VPN tunnels between branches are in the same virtual router and have a higher administrative distance than the central tunnel, causing a routing loop.
D.The route-based VPN tunnels are using static routes that are more specific than the routes advertised by the central firewall.
AnswerD

More specific static routes take precedence over less specific dynamic routes, causing direct traffic.

Why this answer

The most likely cause is that the route-based VPN tunnels between branches use static routes with a more specific prefix (e.g., /24) than the routes advertised by the central firewall (e.g., /16). In route-based VPNs, the firewall makes forwarding decisions based on the routing table; more specific routes have a higher priority regardless of administrative distance or metric. Therefore, Branch A's traffic destined for Branch B matches the more specific static route pointing directly to Branch B's IPsec tunnel, bypassing the central firewall despite security policies requiring inspection.

Exam trap

The trap here is that candidates confuse routing table preference (longest prefix match and administrative distance) with security policy evaluation order, assuming that correctly ordered policies guarantee traffic inspection without considering that the firewall must first route the traffic to itself.

How to eliminate wrong answers

Option A is wrong because a higher metric on the inter-branch tunnel would make it less preferred, not more; the traffic would then use the central tunnel. Option B is wrong because security policy order affects which rule is matched, but if the routing table sends traffic directly to the other branch, the firewall never evaluates the policy for central inspection—routing decisions occur before policy evaluation. Option C is wrong because a higher administrative distance makes a route less preferred; if the inter-branch route had a higher AD, the central route would be chosen, not causing a routing loop.

Additionally, route-based VPNs in the same virtual router do not inherently cause loops; loops require conflicting routes with equal preference.

54
Multi-Selecthard

Which THREE factors should be considered when troubleshooting a 'deny' rule that is unexpectedly blocking traffic? (Choose three.)

Select 3 answers
A.The position of the deny rule in the rulebase relative to allow rules.
B.Whether the deny rule is disabled.
C.Whether the source/destination zones or addresses are correctly defined.
D.Whether logging is enabled on the rule.
E.Whether SSL decryption is enabled for the traffic.
AnswersA, B, C

A higher-priority allow rule might match before the deny rule.

Why this answer

Option A is correct because the firewall evaluates rules in top-down order, and a deny rule placed above an allow rule for the same traffic will match first and block the traffic, even if a subsequent allow rule would have permitted it. This is a fundamental aspect of policy evaluation in Palo Alto Networks firewalls, where the first matching rule is applied and no further rule processing occurs.

Exam trap

The trap here is that candidates may confuse operational features like logging or decryption with the core policy evaluation logic, assuming they influence rule matching, when in fact only rule order, rule state, and correct object definitions determine whether a deny rule blocks traffic.

55
MCQhard

A company has a Palo Alto Networks firewall with multiple virtual routers. The security policy has a rule that allows SSH from the 'Internal' zone to the 'DMZ' zone. Recently, a new subnet 10.10.20.0/24 was added to the Internal zone. Users in that subnet report they cannot SSH to a server at 192.168.1.10 in the DMZ, while users from other subnets in Internal can. The rule has source address object '10.0.0.0/8' which includes the new subnet. The rule's source zone is Internal, destination zone is DMZ, and application is SSH. The administrator confirms the new subnet's IPs are within 10.0.0.0/8. What is the most likely cause of the problem?

A.The application is not correctly identified because the SSH server uses a non-standard port.
B.There is a deny rule placed above the allow rule that matches the new subnet but not the other subnets.
C.The firewall's route table has a more specific route for 10.10.20.0/24 pointing to a different virtual router, causing traffic from that subnet to enter via an interface in a different zone.
D.The rule's source address object is incorrectly defined as '10.0.0.0/8' but the new subnet is not actually within that range.
AnswerC

Correct. If the subnet's traffic enters via a different VR and zone, the security policy rule (which expects the Internal zone) will not match.

Why this answer

The most likely cause is that the new subnet is routed through a different virtual router (VR) than the one used by the Internal zone's interface. The security policy is zone-based, but if the traffic ingresses via an interface in a different VR, the zone association may change, preventing the rule from matching. Option A correctly identifies this scenario.

56
MCQeasy

Refer to the exhibit. An internal DNS server in the trust zone communicates with an external DNS server in the untrust zone. Which rule will match the DNS traffic?

A.No rule will match
B.rule 3 (deny-all)
C.rule 2 (allow-dns)
D.rule 1 (allow-http)
AnswerC

This rule matches DNS traffic from trust to untrust.

Why this answer

Option B is correct because rule 2 specifically allows DNS application from trust to untrust. Option A is wrong because rule 1 allows web-browsing, not DNS. Option C is wrong because deny-all would match only if no prior rule matches.

Option D is wrong because rule 2 explicitly matches DNS.

57
MCQmedium

An administrator has configured multiple security rules for a data center. There is a rule that allows SSH from the 'Management' zone to the 'Server' zone. Recently, the administrator added a new rule allowing SSH from a new 'Admin' zone to the 'Server' zone. The Admin rule is placed above the Management rule. Both rules specify the correct zones, application SSH, and action allow. After committing, SSH traffic from the Admin zone is being denied. What is the most likely issue?

A.There is a deny rule placed above the new Admin rule that matches the Admin zone traffic.
B.The Admin rule has a typo in the destination address, causing it to not match the server.
C.The Management rule is shadowing the Admin rule due to overlapping conditions.
D.The Admin zone is not associated with the correct virtual router.
AnswerA

Correct. A deny rule above would block the SSH traffic before it reaches the allow rule.

Why this answer

If the Admin rule is above the Management rule and both allow SSH, traffic should be allowed. The only plausible reason for denial is that a deny rule exists above the Admin rule that matches the Admin zone traffic. Option B correctly identifies this.

Ready to test yourself?

Try a timed practice session using only Policy Evaluation Management questions.