Palo Alto Networks Certified Network Security Engineer PCNSE (PCNSE) — Questions 76150

516 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Multi-Selectmedium

An organization has configured an active/passive high availability pair of Palo Alto Networks firewalls. During a maintenance window, the active firewall was rebooted. After the reboot, the passive firewall became active, but the session table on the original active firewall is incomplete. The administrator notices that session synchronization is not working properly. Which two configuration checks should the technician perform to resolve this issue?

Select 2 answers
A.Check that the session synchronization encryption is disabled to reduce latency.
B.Validate that the heartbeat hold timer is set to a value greater than the failover delay.
C.Confirm that the HA1 link is using the correct IP address and is in the same subnet.
D.Verify that the HA2 link is operational and has sufficient bandwidth.
E.Ensure that the HA firewalls have the same software version and that session synchronization is enabled in the HA configuration.
AnswersD, E

The HA2 link is dedicated to session synchronization; if it is down or congested, sync fails.

Why this answer

Session synchronization uses the HA2 link, so verifying its operation (A) is critical. Additionally, session sync must be enabled in the HA configuration and the firewalls should run the same software version (C) to ensure compatibility. Option B (HA1) is for heartbeat, not synchronization.

Option D is incorrect because disabling encryption does not improve sync reliability. Option E (heartbeat hold timer) affects failover timing, not synchronization.

77
MCQhard

A network engineer needs to configure SNMP traps on a PA-5250 running PAN-OS 10.2 to alert when CPU usage exceeds 80% for more than 10 minutes. Which CLI command should be used to set this threshold?

A.set snmp-server trap cpu-threshold 80
B.show snmp-server trap
C.set snmp-server trap source-interface ethernet1/1
D.set snmp-server trap destination host 192.168.1.100 community public
AnswerA

This sets the CPU threshold for generating traps.

Why this answer

Option A is correct because the CLI command 'set snmp-server trap cpu-threshold 80' directly configures the CPU utilization threshold for SNMP trap generation on a Palo Alto Networks firewall running PAN-OS 10.2. When the CPU usage exceeds 80% for a sustained period (default 10 minutes), the firewall sends an SNMP trap to configured trap destinations. This command is specific to setting the threshold value, and the 10-minute duration is a fixed, non-configurable parameter in this PAN-OS version.

Exam trap

The trap here is that candidates often confuse the 'set snmp-server trap' command with subcommands for destinations or interfaces, failing to recognize that 'cpu-threshold' is a distinct parameter that must be set separately from trap receiver configuration.

How to eliminate wrong answers

Option B is wrong because 'show snmp-server trap' is a verification command that displays current SNMP trap configuration, not a configuration command to set a threshold. Option C is wrong because 'set snmp-server trap source-interface ethernet1/1' configures the source interface for outgoing SNMP traps, not the CPU threshold. Option D is wrong because 'set snmp-server trap destination host 192.168.1.100 community public' defines a trap receiver and its SNMP community string, but does not set the CPU threshold value.

78
Multi-Selectmedium

Which TWO conditions typically cause the firewall to bypass SSL decryption for a session? (Choose two.)

Select 2 answers
A.The firewall detects that the session is already decrypted (e.g., by another device).
B.The client and server negotiate a cipher suite not supported by the firewall.
C.The certificate presented by the server is not valid (e.g., expired, untrusted).
D.The traffic matches a 'no-decrypt' rule in the decryption policy.
E.The decrypted data exceeds a certain size threshold.
AnswersB, C

If the cipher is unsupported, the firewall cannot decrypt.

Why this answer

Option B is correct because if the client and server negotiate a cipher suite that the firewall does not support, the firewall cannot decrypt the session. The firewall must be able to inspect the SSL/TLS handshake and match the cipher suite to its supported list; if the cipher suite is unsupported (e.g., TLS 1.3-only ciphers on an older firewall), decryption fails and the session is bypassed. Option C is correct because when the server presents an invalid certificate (expired, untrusted, or mismatched), the firewall cannot complete the SSL handshake with the client, so it bypasses decryption to avoid breaking the session.

Exam trap

The trap here is that candidates often confuse policy-based 'no-decrypt' rules (which are intentional exclusions) with technical conditions that force a bypass, or they mistakenly think that invalid certificates always cause decryption to fail when in fact the firewall can be configured to still decrypt with a warning or to bypass based on policy.

79
MCQmedium

Refer to the exhibit. A user at 10.1.1.100 is browsing the internet. The session is established. However, the user reports that the page is not loading completely. What could be the issue?

A.The traffic is being blocked because the 'From Zone' is trust
B.The session is being denied by a different rule
C.The firewall might be incorrectly identifying the application as web-browsing when it is something else
D.The session is not being logged correctly
AnswerC

Application misidentification can cause partial loading if the firewall blocks embedded objects.

Why this answer

When a firewall incorrectly identifies an application, it may apply the wrong App-ID-based policy, potentially blocking or failing to allow all required subcomponents of the traffic (e.g., embedded objects, scripts, or secondary connections). In this scenario, the session is established but the page does not load completely, which is a classic symptom of the firewall misclassifying the application as 'web-browsing' (HTTP/HTTPS) when it is actually a more complex application (e.g., a web application using non-standard ports or dynamic content). The firewall then enforces the policy for 'web-browsing', which may not permit the necessary additional flows or decryption, causing partial loading.

Exam trap

Palo Alto Networks often tests the nuance that a session being 'established' does not guarantee full application functionality; candidates mistakenly assume that if the session is up, all traffic is passing, but App-ID misclassification can cause partial content delivery.

How to eliminate wrong answers

Option A is wrong because the 'From Zone' being trust does not inherently block traffic; zone-based policies are evaluated based on the rulebase, and a session being established indicates that a rule allowed the initial handshake. Option B is wrong because if the session is established, it has already matched a rule that permits the session; a different rule denying the session would prevent establishment entirely, not cause partial loading. Option D is wrong because logging is a reporting function and does not affect whether traffic is allowed or blocked; incorrect logging would not cause incomplete page loading.

80
MCQeasy

A medium-sized enterprise recently deployed a PA-5250 firewall in a data center as the primary internet gateway. The network team configured the security policies to allow all outbound web traffic (HTTP/HTTPS) from the internal trust zone to the untrust zone, with URL filtering and threat prevention enabled. After the deployment, users complain that some legitimate websites, such as banking and healthcare portals, are being blocked. The team checks the URL filtering logs and sees that these sites are categorized as 'web-hosting' or 'dynamic-dns', which are in the block list. The company's compliance requires that all web traffic be inspected. What should the network engineer do to resolve the issue without reducing security?

A.Add the specific URLs to the 'Allow List' in the URL filtering profile
B.Set the URL filtering profile action for 'web-hosting' to 'alert' instead of 'block'
C.Create a URL category override for each legitimate site to reclassify it as 'business-economy' or 'health-medicine'
D.Remove the 'web-hosting' and 'dynamic-dns' categories from the block list
AnswerC

Override changes the category for specific URLs, so they are no longer blocked by the 'web-hosting' or 'dynamic-dns' categories, while still being subject to other security checks.

Why this answer

Option C is correct because URL category overrides allow you to reclassify specific URLs into a more appropriate category (e.g., 'health-medicine') without altering the global block action for 'web-hosting' or 'dynamic-dns'. This preserves the security posture by keeping the broad categories blocked for unknown or risky sites, while permitting the legitimate sites that were miscategorized by the Palo Alto Networks URL filtering database.

Exam trap

The trap here is that candidates often choose to add URLs to an allow list (Option A) without realizing that this bypasses all security inspections, failing the compliance requirement for full traffic inspection.

How to eliminate wrong answers

Option A is wrong because adding specific URLs to the 'Allow List' in the URL filtering profile would bypass all URL filtering and threat prevention for those URLs, violating the compliance requirement that all web traffic be inspected. Option B is wrong because setting the action for 'web-hosting' to 'alert' would allow all sites in that category, including potentially malicious ones, reducing security by permitting unvetted traffic. Option D is wrong because removing 'web-hosting' and 'dynamic-dns' from the block list would globally allow all sites in those categories, including malicious ones, which undermines the security policy and compliance requirements.

81
MCQmedium

A user reports that they cannot access a website. The firewall logs show the session was denied with 'No rule matched'. The security policy has a rule that should match the traffic. What is the most likely cause?

A.The source and destination zones are misconfigured
B.The rule is disabled
C.The user's IP is in a block list
D.The firewall is in transparent mode
AnswerA

If the rule's source or destination zone does not match the traffic zones, it won't match.

Why this answer

If no rule matches, it's often because the zones are incorrectly configured. The source or destination zone may not match the rule's zone definitions.

82
Multi-Selecteasy

Which TWO statements about active/active HA mode are true compared to active/passive mode? (Choose two.)

Select 2 answers
A.Active/active eliminates the need for failover
B.Active/active requires enabling asymmetric routing support
C.Active/active allows both firewalls to process traffic simultaneously
D.Active/active automatically synchronizes configuration changes
E.Active/active is the default and most commonly deployed mode
AnswersB, C

Needed to handle return traffic on different firewall.

Why this answer

Options B and D are correct. Active/active requires asymmetric routing support and loadbalances traffic. Option A is wrong because active/passive is more common.

Option C is wrong because active/active does not eliminate failover. Option E is wrong because config is not automatically synced differently.

83
Multi-Selecthard

Which THREE factors can cause a session to be terminated abnormally with a 'tcp-rst-from-server' or 'tcp-rst-from-client' flag in the session end reason? (Choose three.)

Select 3 answers
A.The server sends a TCP RST packet to the client.
B.The firewall's application override is incorrectly matching the traffic.
C.The session reaches the configured idle timeout.
D.A decryption error occurs during SSL handshake.
E.The firewall runs out of session resources and starts dropping new sessions.
AnswersA, B, D

The firewall records the RST as the session end reason.

Why this answer

Options A, B, and D are correct. Application override can cause the firewall to incorrectly handle the session, leading to resets. Decryption errors can cause the firewall to send resets if the SSL handshake fails.

A server that sends a RST will be recorded. Option C is wrong because a session timeout results in a 'aged-out' reason, not RST. Option E is wrong because resource exhaustion typically causes drops or age-outs, not RST.

84
Multi-Selecthard

Which TWO conditions can cause an HA pair to enter an 'active/active' state? (Choose two.)

Select 2 answers
A.Loss of HA keepalive on both sides
B.License expiration on one firewall
C.Session synchronization failure
D.Configuration mismatch between peers
E.HA1 link failure
AnswersA, E

If keepalives are lost, each firewall assumes the other is dead and becomes active.

Why this answer

A is correct because when both firewalls lose the HA keepalive (sent over HA1 link), each firewall assumes the peer is dead and transitions to active state to ensure traffic continuity. This is a fail-safe mechanism: without keepalive, each unit independently becomes active, resulting in an active/active condition that can cause duplicate IP addresses and traffic loops.

Exam trap

The trap here is that candidates often think only a complete HA1 link failure (option E) causes active/active, but they overlook that loss of keepalive on both sides (option A) is the underlying mechanism—and both conditions are correct because HA1 link failure directly causes loss of keepalive on both sides.

85
MCQhard

A medium-sized enterprise has two Palo Alto Networks PA-5250 firewalls configured in an active/passive HA pair with session synchronization and configuration synchronization enabled. The HA1 link is a direct copper cable, and the HA2 link is also a direct copper cable. The firewalls are connected to two upstream routers (R1 and R2) and two downstream switches (S1 and S2). The network uses OSPF for dynamic routing. The active firewall (FW-A) is connected to R1 and S1, while the passive firewall (FW-P) is connected to R2 and S2. The OSPF cost is set symmetrically on both sides. During a maintenance window, the network team shuts down the HA1 and HA2 links on both firewalls to test failover behavior. After the links are brought back up, the firewalls are in a state of 'non-functional' and 'suspended'. The team suspects the HA configuration is broken. What is the most likely cause and the best course of action to restore HA?

A.Upgrade both firewalls to the same software version and then re-initialize HA
B.Change the HA mode to active/active and enable asymmetric routing
C.Reboot both firewalls after verifying the HA configuration and that the links are operationally up
D.Configure a dedicated management interface for HA1 communication and ensure HA2 is on a different subnet
AnswerC

Rebooting recovers from suspended state; links are up now.

Why this answer

Option D is correct. When HA1 and HA2 links are shut down simultaneously, both firewalls may enter suspended state due to loss of all HA keepalives. The recommended recovery is to reboot both firewalls after verifying configuration.

Option A is wrong because changing preemptive mode does not address the suspension. Option B is wrong because creating a dedicated HA management network does not fix the current issue. Option C is wrong because different software versions are not allowed in HA.

86
MCQeasy

After upgrading Panorama to a newer version, a configuration push to a managed firewall fails with the error 'Commit failed: template validation error.' Which of the following should be checked first?

A.Ensure that the administrator account has superuser privileges.
B.Verify that the firewall's PAN-OS version is supported by the Panorama version.
C.Check that the firewall is connected to the internet for cloud services.
D.Review the system logs on the firewall for disk space errors.
AnswerB

Incompatible versions between Panorama and firewalls can cause template validation failures during push.

Why this answer

Option A is correct because template validation errors often indicate that the version of the template or device group configuration is incompatible with the firewall's PAN-OS version. Options B, C, and D are less likely to be the root cause of a template validation error.

87
Multi-Selecteasy

Which three are valid security policy rule actions on a Palo Alto Networks firewall? (Choose three.)

Select 3 answers
A.Deny
B.Log
C.Drop
D.Allow
E.Forward
AnswersA, C, D

Deny drops traffic and can generate logs.

Why this answer

Option A (Deny) is correct because security policy rules on Palo Alto Networks firewalls use 'Deny' as a valid action to silently discard traffic without sending a TCP RST or ICMP unreachable message. This action is used when you want to block traffic while providing no feedback to the sender, which is common for stealth or compliance policies.

Exam trap

The trap here is that candidates often confuse 'Log' as an action because it appears in the rule configuration, but it is merely a log setting, not a traffic disposition action like Allow, Deny, or Drop.

88
MCQeasy

What is the most likely reason the traffic from 192.168.1.100 to 203.0.113.50 is being denied?

A.The application 'ssl' is not allowed in any security rule.
B.The session ended with TCP FIN, causing the firewall to deny.
C.The destination IP is blacklisted.
D.The security rule 'default-deny' explicitly blocks this traffic.
AnswerA

The traffic matched the built-in default-deny rule because no user-defined rule allowed the application.

Why this answer

The traffic from 192.168.1.100 to 203.0.113.50 is denied because the application 'ssl' is not explicitly allowed in any security rule. Palo Alto Networks firewalls use App-ID to identify traffic by application, and if the application (e.g., SSL/TLS) is not permitted in a rule, the traffic is denied by default, even if the IP addresses and ports are otherwise allowed.

Exam trap

The trap here is that candidates assume a port-based rule (e.g., allowing TCP/443) is sufficient, but Palo Alto's App-ID requires the application itself to be explicitly allowed, not just the port.

How to eliminate wrong answers

Option B is wrong because a TCP FIN flag does not cause a firewall to deny traffic; it is part of a normal session teardown and would not result in a deny action. Option C is wrong because there is no indication in the question that the destination IP is blacklisted, and blacklisting is typically done via external feeds or manual entries, not implied by a simple deny. Option D is wrong because while a 'default-deny' rule exists at the end of the rulebase, the question asks for the 'most likely' reason, and the specific denial of SSL traffic points to an application-based restriction rather than a generic catch-all rule.

89
MCQhard

An administrator wants to ensure that all traffic from the 'Trust' zone to the 'Untrust' zone is inspected by WildFire. Which configuration is required?

A.Create a separate WildFire rule.
B.Enable WildFire on the security rule.
C.Configure a WildFire profile and attach it to the security rule.
D.Enable WildFire globally under Device > Setup.
AnswerC

A WildFire profile must be added to the security rule's profile section.

Why this answer

WildFire inspection is applied via a security rule using a WildFire Analysis profile. The profile defines the file types and verdict actions (e.g., alert, block) for files submitted to WildFire. Attaching this profile to the security rule that governs Trust-to-Untrust traffic ensures all matching traffic is inspected by WildFire.

Exam trap

The trap here is that candidates confuse WildFire's global registration settings (Device > Setup > WildFire) with the per-rule profile attachment required for actual traffic inspection, leading them to select the global enablement option.

How to eliminate wrong answers

Option A is wrong because WildFire does not use separate rules; it is a profile-based feature attached to security rules. Option B is wrong because there is no toggle to 'enable WildFire on the security rule' directly; you must configure and attach a WildFire Analysis profile. Option D is wrong because WildFire is not enabled globally under Device > Setup; global settings for WildFire are configured under Objects > WildFire Analysis Profiles or Device > WildFire, but the inspection itself requires profile attachment to a security rule.

90
MCQhard

A company configures its Palo Alto Networks firewall to decrypt outbound SSL traffic using a forward proxy. After applying the decryption policy, users report that their browsers display certificate errors when accessing HTTPS websites. The firewall's decryption certificate is self-signed. What is the most likely cause?

A.The firewall is using a forward trust certificate that is expired.
B.The decryption policy is not applied to the correct security rule.
C.The firewall's decryption root CA certificate has not been installed in the client's trusted root certificate store.
D.The decryption policy is set to 'no-decrypt' for the traffic.
AnswerC

Correct. Clients must trust the firewall's issuing CA to avoid certificate warnings.

Why this answer

In a forward proxy decryption scenario, the firewall generates a self-signed root CA certificate and uses it to sign per-session certificates for intercepted HTTPS traffic. If that root CA certificate is not installed in the client's trusted root certificate store, the browser will treat the per-session certificates as untrusted, resulting in certificate errors. Option C directly identifies this missing trust chain as the root cause.

Exam trap

The trap here is that candidates often confuse the forward trust certificate (used to sign per-session certificates) with the root CA certificate that must be trusted by clients, leading them to focus on expiration or policy placement rather than the fundamental trust chain requirement.

How to eliminate wrong answers

Option A is wrong because an expired forward trust certificate would cause certificate errors, but the scenario explicitly states the decryption certificate is self-signed, and the most common issue is the missing root CA trust, not an expired leaf certificate. Option B is wrong because the decryption policy is applied to a decryption rule, not a security rule; misapplication to a security rule would not cause certificate errors—it would simply not decrypt traffic. Option D is wrong because a 'no-decrypt' policy would result in no decryption at all, meaning users would see normal HTTPS traffic without certificate errors, not the reported errors.

91
MCQmedium

An administrator wants to apply different security policies for different applications that may use the same IP addresses and ports. Which firewall configuration feature should be used?

A.Application Override
B.Quality of Service (QoS) policy
C.Security policy with App-ID
D.Decryption policy
AnswerC

Security rules can match on application identity, allowing per-application policies.

Why this answer

Option D is correct: Security policies with App-ID allow you to define rules based on the identified application, enabling different policies for different applications on the same IP/port. Option A is wrong because Application Override bypasses App-ID. Option B is wrong because Decryption policy does not enforce access control.

Option C is wrong because QoS only prioritizes traffic, does not filter.

92
MCQeasy

An administrator notices that URL filtering is not blocking a specific category as configured. What is the first troubleshooting step?

A.Verify the security policy order
B.Review the URL filtering profile
C.Check the URL filtering license
D.Check the PAN-DB version
AnswerA

If a policy with a different URL filtering profile matches first, the configuration may not be applied as intended.

Why this answer

The most common reason URL filtering fails to block a specific category is that a security policy with a lower priority (higher order number) is matching the traffic before the policy with the correct URL filtering profile. Since security policies are evaluated top-down, the first match is applied, and if an earlier policy allows the traffic without URL filtering, the configured block action is never reached. Therefore, verifying the security policy order is the first and most logical troubleshooting step.

Exam trap

Palo Alto Networks often tests the misconception that a misconfigured profile or license is the primary cause, when in reality the issue is almost always policy order and the first-match rule in security policy evaluation.

How to eliminate wrong answers

Option B is wrong because reviewing the URL filtering profile is a secondary step; the profile may be correctly configured but never applied if a higher-priority policy matches first. Option C is wrong because a missing or expired URL filtering license would typically prevent the firewall from performing any URL filtering at all, not cause a specific category to be unblocked while others work. Option D is wrong because checking the PAN-DB version is relevant when categories are missing or outdated, but it does not explain why a configured block action is not being enforced on traffic that is already matching a policy.

93
MCQeasy

An administrator needs to create a custom application for a proprietary database protocol that uses TCP port 7890. What is the first step in defining this application in App-ID?

A.Create a new application and define the default port.
B.Create a new application group.
C.Create a new custom application tag.
D.Create a new application filter.
AnswerA

Correct: Creating the application object with its default port is the foundational step.

Why this answer

The first step is to create a new application object and define the default port. Creating an application group or filter assumes the application already exists. Tags are optional labels.

94
MCQmedium

Which of the following is required for SAML-based single sign-on to work with a Palo Alto Networks firewall acting as the service provider?

A.The identity provider's metadata must be imported into the firewall.
B.A certificate from a public CA for the SAML identity provider.
C.The firewall must be configured as a SAML identity provider.
D.User-ID must be configured to poll the SAML identity provider.
AnswerA

The metadata includes the IdP's public key, endpoints, and binding information needed for SAML communication.

Why this answer

The firewall must import the identity provider's metadata to establish trust and endpoints for SAML communication. Option C is correct.

95
MCQhard

During a network incident, an engineer notices that after an HA failover, some sessions are not active on the new active firewall. The 'show session all' command shows the sessions with state 'half-closed'. What is the most likely cause?

A.The firewall failed to properly synchronize the TCP sessions before the failover
B.The HA2 link failover timer is set too low
C.The ARP timeout on the next-hop router is too short
D.Asymmetric routing is causing the firewall to see only one direction of traffic
AnswerA

Incomplete sync leads to half-closed sessions.

Why this answer

Option B is correct because TCP session pickup may fail if the original firewall did not sync the session properly, leaving them in half-closed state. Option A is wrong because asymmetric routing affects new sessions, not existing. Option C is wrong because HA timer issues cause failover problems, not session state.

Option D is wrong because ARP timeout affects connectivity, not session state.

96
MCQeasy

When configuring an authentication policy, which match criteria is required to trigger authentication?

A.Application must be 'web-browsing'.
B.Destination address must be the server IP.
C.Source user must be set to 'any'.
D.Source zone must be specified.
AnswerD

Source zone is a required parameter in authentication policy to define the inbound traffic zone.

Why this answer

Authentication policy requires source zone and application to be specified; source user can be 'any'. Option C is correct.

97
MCQeasy

A network engineer is troubleshooting an HA pair where both firewalls show as 'active' in the HA state. What is this condition called?

A.Link failure
B.Active/Active
C.Passive/Passive
D.Split brain
AnswerB

This is the correct term for both firewalls being active.

Why this answer

In an active/passive HA pair, only one firewall should be active at a time. When both firewalls show as 'active', this is known as a split-brain condition. It occurs when the HA heartbeat link fails and each firewall assumes the other is down, causing both to transition to the active state and process traffic independently.

Exam trap

The trap here is that candidates confuse 'split brain' with 'active/active' mode, but active/active is a legitimate configuration where both firewalls actively forward traffic for different virtual routers or security zones, whereas split brain is an unintended failure state.

How to eliminate wrong answers

Option A is wrong because a link failure is a potential cause of split brain, not the condition itself. Option C is wrong because passive/passive is not a valid HA state in Palo Alto Networks firewalls; the supported modes are active/passive and active/active (for specific use cases). Option D is wrong because split brain is the correct term for both firewalls being active simultaneously, not a separate option.

98
MCQhard

You are a network security engineer for a multinational corporation with users in different regions. The company uses GlobalProtect for remote access and requires multi-factor authentication (MFA) using a mobile app for all users. Recently, users in the Asia-Pacific region have reported intermittent failures when authenticating via GlobalProtect. The symptoms include: after entering credentials on the GlobalProtect portal, the authentication challenge from the MFA provider times out after 30 seconds, and the user is disconnected. Users in other regions do not experience this issue. The GlobalProtect gateways and portals are configured with Authentication Profile that uses an LDAP server for primary authentication and an MFA vendor as authentication sequence. The MFA provider sends push notifications to users' mobile devices. The firewall logs show no errors related to LDAP or MFA, but the GlobalProtect logs indicate authentication timeouts. The firewall is located in the central data center, and the MFA provider's servers are in the United States. What should you do to resolve this issue?

A.Change the authentication sequence to use a shorter MFA method like SMS instead of push notifications.
B.Disable MFA for the Asia-Pacific region users temporarily until the MFA provider improves their latency.
C.Increase the authentication timeout in the GlobalProtect portal and gateway configuration from 30 seconds to 60 seconds.
D.Deploy a secondary MFA server instance in the Asia-Pacific region to reduce latency.
AnswerC

Increasing the timeout accommodates the higher latency for users in Asia-Pacific, allowing the MFA push to complete.

Why this answer

Option C is correct because the authentication timeout in the GlobalProtect portal and gateway configuration defaults to 30 seconds, which is insufficient when high latency exists between the firewall (central data center) and the MFA provider's servers (United States). Users in the Asia-Pacific region experience additional network latency, causing the MFA push notification challenge to exceed the 30-second timeout. Increasing the timeout to 60 seconds accommodates this latency without altering the authentication method or requiring additional infrastructure.

Exam trap

The trap here is that candidates often assume the issue is with the MFA method or provider latency, leading them to choose option A or D, when in fact the problem is a misconfigured timeout value that is easily adjustable within the GlobalProtect portal and gateway settings.

How to eliminate wrong answers

Option A is wrong because changing from push notifications to SMS does not address the root cause—latency-induced timeout; SMS may actually introduce additional delays due to carrier routing and is less secure. Option B is wrong because disabling MFA for a region violates security policy and leaves those users vulnerable; it is a temporary workaround that does not solve the underlying latency issue. Option D is wrong because deploying a secondary MFA server instance in the Asia-Pacific region is an expensive and complex solution that is unnecessary when simply increasing the authentication timeout resolves the problem, and the MFA provider's servers are not under the company's control.

99
MCQmedium

A network engineer configures an IPSec tunnel with multiple proxy IDs for different subnets. After committing, only one proxy ID establishes IPsec SAs. What should the engineer check?

A.The number of concurrent tunnels allowed.
B.The IPSec crypto profile.
C.The IKE gateway mode.
D.The tunnel monitor settings.
AnswerA

Correct. The firewall may limit concurrent SAs per gateway.

Why this answer

There is a maximum number of concurrent IPsec SAs (tunnels) per IKE gateway. If the limit is reached, additional proxy IDs will not establish SAs.

100
MCQhard

A Palo Alto Networks firewall is configured with two virtual routers: VR-A (trust) and VR-B (untrust). An interface is placed in VR-A. A static route to 10.0.0.0/8 via next-hop 192.168.1.1 exists in VR-A. The firewall receives a packet from the trust zone destined to 10.1.1.1. The route lookup succeeds in VR-A. Which statement is true about the forwarding decision?

A.The firewall will automatically redistribute the route to VR-B if needed.
B.The firewall will perform a reverse path forwarding (RPF) check on the source IP.
C.The packet will be dropped because the destination is not in the same VR as the ingress interface.
D.The firewall will use the zone of the egress interface to determine the security policy.
AnswerB

RPF ensures the source IP is reachable via the incoming interface; if not, the packet may be dropped.

Why this answer

Option B is correct because when a packet enters a Palo Alto Networks firewall, after a successful route lookup, the firewall performs an RPF check on the source IP address to ensure that the source is reachable via the ingress interface. This is a fundamental security mechanism to prevent spoofed traffic. Since the ingress interface is in VR-A and the route lookup succeeded, the RPF check verifies that the source IP of the packet is reachable through that same interface; if not, the packet is dropped.

Exam trap

The trap here is that candidates often assume the packet will be dropped because the destination is in a different VR (Option C), but they overlook that the route lookup succeeded in the ingress VR, meaning the egress interface is within the same VR, and the real security mechanism is the RPF check on the source IP.

How to eliminate wrong answers

Option A is wrong because Palo Alto Networks firewalls do not automatically redistribute routes between virtual routers; redistribution must be explicitly configured using route redistribution policies or a shared virtual router. Option C is wrong because the packet is not dropped due to the destination being in a different VR; the route lookup succeeded in VR-A, meaning the destination is reachable within VR-A, and the egress interface could be in the same VR. Option D is wrong because the security policy lookup uses the zone of the ingress interface (trust), not the egress interface; the egress interface's zone is irrelevant for policy matching.

101
Matchingmedium

Match each Palo Alto Networks product to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall for enterprise

Virtual firewall for cloud environments

Container firewall for Kubernetes

Cloud-delivered security for remote users

Extended detection and response for endpoints

Why these pairings

These are key products in the Palo Alto Networks portfolio.

102
MCQmedium

An HA pair experiences split-brain after a brief network outage. Both firewalls become active and each starts forwarding traffic. What is the most effective way to prevent this in the future?

A.Increase the HA keepalive failover threshold to tolerate temporary packet loss
B.Decrease the HA1 hello interval
C.Enable link monitoring on all interfaces
D.Increase the session synchronization rate
AnswerA

Higher threshold allows brief outage without triggering failover.

Why this answer

Option D is correct because HA keepalive failover threshold with a higher value (more missed packets) reduces false failovers. Option A is wrong because session sync does not prevent split-brain. Option B is wrong because increasing hello interval would cause faster failover, not slower.

Option C is wrong because link monitoring does not address split-brain from temporary outage.

103
Multi-Selecthard

Which TWO of the following are valid considerations when designing an SSL Forward Proxy decryption deployment in a Palo Alto Networks firewall?

Select 2 answers
A.Decryption is applied globally to all traffic; selective decryption is not possible.
B.The firewall can decrypt all TLS sessions regardless of client certificate authentication.
C.When deploying SSL Forward Proxy, the firewall must generate a certificate for each decrypted session to re-encrypt traffic to the client.
D.Traffic using Server Name Indication (SNI) in TLS must be decrypted at the firewall or it will be dropped.
E.The firewall uses a decryption policy to determine which traffic to decrypt.
AnswersC, E

The firewall acts as a proxy, generating a certificate signed by a trusted CA to re-encrypt traffic to the client.

Why this answer

In an SSL Forward Proxy deployment, the firewall acts as a man-in-the-middle: it terminates the client's TLS connection, inspects the decrypted traffic, and then initiates a new TLS connection to the server. To re-encrypt the traffic back to the client, the firewall must dynamically generate a certificate for each session, signed by a trusted CA certificate installed on the client devices. This ensures the client sees a valid certificate chain and does not generate a certificate warning.

Exam trap

The trap here is that candidates often assume SSL Forward Proxy can decrypt all TLS traffic, including sessions with client certificate authentication, but the firewall cannot possess the client's private key and thus must skip decryption for such sessions.

104
MCQmedium

A remote user reports they cannot connect to the corporate network via GlobalProtect. The GlobalProtect client shows 'Connection failed. Unable to establish a secure connection.' The portal and gateway are configured with certificate authentication. The administrator verifies that the portal/gateway certificates are valid and not expired, and the common name matches the portal's FQDN. The client's machine time is synchronized. Which configuration misconfiguration is most likely the cause?

A.The client's GlobalProtect app is an older version that does not support TLS 1.2.
B.The gateway authentication profile is set to use RADIUS instead of certificate.
C.The portal is configured with an incorrect server certificate common name (CN) that does not match the portal's FQDN.
D.The GlobalProtect gateway is configured to require HIP match, but the user's endpoint does not meet the HIP profile.
AnswerA

An older client may not support TLS 1.2, causing the connection to fail if the gateway requires it.

Why this answer

Option D is correct because if the GlobalProtect client is an older version that does not support TLS 1.2, it will fail to establish the secure connection when the gateway requires TLS 1.2. Option A is incorrect because a HIP mismatch would typically cause a different error (e.g., 'Access denied' or 'Not compliant') after authentication, not a connection failure. Option B is incorrect because the administrator already confirmed the certificate CN matches the portal FQDN.

Option C is incorrect because the gateway authentication profile is not used for the TLS handshake; it is used after the tunnel is established.

105
MCQmedium

An organization runs a pair of Palo Alto Networks firewalls in an active/passive HA configuration. During a maintenance window, the active firewall experiences a link down event on one of its data interfaces. The passive firewall does not assume the active role. What is the most likely reason?

A.HA is configured in active/active mode, which does not support failover on link failure.
B.The passive firewall has lost its heartbeat connection to the active firewall.
C.The active firewall has a higher priority value.
D.Path monitoring is not configured on the interfaces.
AnswerD

Correct. Path monitoring monitors the status of data interfaces and triggers failover on link loss.

Why this answer

In an active/passive HA configuration, a link down event on a data interface does not automatically trigger a failover unless path monitoring is configured. Path monitoring allows the firewall to monitor the link state of specific data interfaces and initiate a failover when those interfaces go down. Without path monitoring, the passive firewall remains passive because it only monitors the HA heartbeat and the active firewall's health via the control link, not the data plane link state.

Exam trap

The trap here is that candidates often assume any link failure on a data interface will automatically trigger an HA failover, but Palo Alto Networks firewalls require explicit path monitoring configuration to initiate failover based on data plane link state.

How to eliminate wrong answers

Option A is wrong because the scenario explicitly states active/passive HA, not active/active, and even in active/active mode, failover on link failure can occur if path monitoring is configured. Option B is wrong because if the passive firewall had lost its heartbeat connection, it would assume the active role (due to loss of hello messages) or enter a non-functional state, not remain passive. Option C is wrong because a higher priority value on the active firewall makes it more likely to be active, but it does not prevent failover when a link down event occurs; priority determines which firewall becomes active during initial election or when both are healthy, not whether failover happens on a link failure.

106
Multi-Selecteasy

Which TWO conditions are required for a successful GlobalProtect connection using certificate authentication?

Select 2 answers
A.The client certificate must be issued by a CA trusted by the firewall.
B.The GlobalProtect portal must have a certificate for SSL.
C.The user's browser must have the firewall's root CA certificate.
D.The firewall must have the client certificate's public key.
E.The client must have a valid username and password.
AnswersA, B

Correct. The firewall trusts the CA to validate the client certificate.

Why this answer

Certificate authentication requires the client certificate to be trusted by the firewall (the CA must be trusted), and the GlobalProtect portal must have an SSL certificate for the web interface.

107
MCQhard

Refer to the exhibit. A user at 10.1.1.100 reports that they cannot access a website at 10.2.2.200 over HTTPS. The firewall shows the session is allowed with application web-browsing, but the security policy rule "Allow-Web" has application set to ssl. What is the most likely cause?

A.The application override is configured incorrectly.
B.The security policy rule order is incorrect.
C.The SSL decryption policy is not configured.
D.The service is set to application-default.
AnswerC

Without decryption, App-ID sees only the SSL handshake and identifies the traffic as web-browsing on port 443, not as the more specific ssl application.

Why this answer

Option C is correct because without SSL decryption, the firewall cannot inspect the encrypted payload to identify the application as ssl; it classifies it as web-browsing based on port 443. Option A is wrong because application override would force a specific application, but the issue is that the session shows a different application, not that override is misconfigured. Option B is wrong because the session is allowed, indicating a rule is matched; rule order may not be the direct cause since the allowed traffic shows web-browsing.

Option D is wrong because service application-default allows the default port, but the application still needs to be identified correctly.

108
MCQeasy

An engineer wants to block all peer-to-peer file sharing traffic using App-ID. What security policy action should be used?

A.Drop.
B.Reset-both.
C.Allow with antivirus profile.
D.Deny.
AnswerD

Correct: Deny blocks the traffic and sends a TCP reset.

Why this answer

The standard action to block traffic in a security policy rule is 'deny'. 'Drop' also blocks but does not send a TCP reset, while 'deny' sends a reset. 'Allow' would permit the traffic, and 'reset-both' is a type of deny, but 'deny' is the typical best practice.

109
MCQmedium

A company uses a Palo Alto Networks firewall with Authentication Policy to enforce MFA for external users accessing a web application via GlobalProtect. The authentication sequence is set to 'PingID, LDAP'. Recently, users report that after entering their LDAP credentials, they are not prompted for PingID MFA and are allowed access immediately. The firewall logs show that the authentication policy is hit and the authentication method used is 'LDAP' only. The PingID service is reachable from the firewall. The administrator checks the Authentication Profile and sees that PingID is configured correctly. What is the most likely cause of this issue?

A.The authentication policy should be set to require MFA for all users; change the policy action to 'require MFA'.
B.The authentication sequence should be reversed to 'LDAP, PingID'.
C.The PingID server certificate is not trusted; import the CA certificate.
D.The PingID agent is configured to allow fallback to LDAP on authentication failure; disable fallback in the PingID agent settings.
AnswerD

Correct: If PingID allows fallback, the firewall will proceed to LDAP without MFA.

Why this answer

The correct answer is D because the PingID agent can be configured to fall back to LDAP authentication when PingID MFA fails or is unreachable. Even though the firewall can reach the PingID service, if the PingID agent itself is set to allow fallback on authentication failure, it will silently skip the MFA challenge and complete authentication via LDAP only, matching the log entry showing 'LDAP' as the authentication method.

Exam trap

The trap here is that candidates assume MFA bypass is always due to firewall misconfiguration (like sequence order or certificate issues), when in reality the PingID agent's fallback behavior can silently skip MFA even when the firewall and network connectivity are correctly configured.

How to eliminate wrong answers

Option A is wrong because the authentication policy action 'require MFA' is not a valid setting; authentication policies use actions like 'allow' or 'deny', and MFA enforcement is controlled by the authentication profile's sequence, not a policy-level MFA toggle. Option B is wrong because reversing the sequence to 'LDAP, PingID' would cause LDAP to be attempted first, and if successful, the firewall would not proceed to PingID MFA, which would still bypass MFA; the correct sequence is 'PingID, LDAP' to ensure MFA is attempted before LDAP fallback. Option C is wrong because the PingID server certificate trust issue would cause a certificate validation error, not a silent skip of MFA; the firewall would log an authentication failure or error, not a successful LDAP-only authentication.

110
MCQeasy

A user reports intermittent connectivity to a database server through the firewall. The session table shows active sessions, but the user experiences timeouts. What is the most likely cause?

A.DNS resolution failure
B.Asymmetric routing
C.Security policy configured with service 'any'
D.Incomplete TCP three-way handshake
AnswerB

Asymmetric routing causes the firewall to see packets that don't match existing sessions, leading to drops or session re-creation.

Why this answer

Asymmetric routing can cause sessions to be created on one firewall while traffic returns via a different path, leading to session lookup failures and drops. This is a common cause of intermittent connectivity with active sessions.

111
MCQhard

A firewall in a high-availability pair shows that App-ID signatures are not syncing between units. Sessions are failing over but application identification is incorrect on the passive unit. What should the administrator verify?

A.Ensure both units have the same App-ID license installed.
B.Configure session distribution for symmetric return.
C.Verify that application override policies are replicated via HA configuration sync.
D.Check that sessions are established on both units.
AnswerC

Application overrides need to be synced; if not, the passive unit may misidentify traffic.

Why this answer

Option D is correct because application override policies are not synced via HA; they are local. Option A is wrong because license is not per-unit. Option B is wrong because session setup is not the issue.

Option C is wrong because session distribution does not affect identification.

112
MCQeasy

A security administrator wants to minimize the performance impact of SSL decryption on the firewall. Which best practice should be applied?

A.Configure decryption settings per interface to distribute load.
B.Disable SSL decryption entirely to avoid performance issues.
C.Create decryption exclusion rules for traffic that is known to be low-risk and high-volume.
D.Enable decryption on all traffic to ensure complete visibility.
AnswerC

Reduces decryption overhead while maintaining security for risky traffic.

Why this answer

Option C is correct because creating decryption exclusion rules for low-risk, high-volume traffic (e.g., software updates, video streaming, or trusted CDN traffic) reduces the firewall's decryption workload, minimizing performance impact while still allowing decryption of sensitive or risky traffic. This aligns with Palo Alto Networks best practices to balance security and performance by excluding traffic that does not require inspection.

Exam trap

The trap here is that candidates may think distributing decryption per interface (Option A) is a valid load-balancing technique, but Palo Alto Networks firewalls do not support interface-level decryption configuration, and the correct approach is to use exclusion rules to selectively bypass decryption for low-risk traffic.

How to eliminate wrong answers

Option A is wrong because decryption settings are not configured per interface to distribute load; SSL decryption is applied globally via decryption policies, and load distribution is handled by the firewall's hardware architecture, not interface-level settings. Option B is wrong because disabling SSL decryption entirely eliminates visibility into encrypted threats, which defeats the purpose of a security firewall and is not a best practice for minimizing performance impact while maintaining security. Option D is wrong because enabling decryption on all traffic would cause unnecessary performance degradation and latency, especially for high-volume, low-risk traffic that does not require inspection, violating the principle of selective decryption.

113
Multi-Selecthard

An administrator is troubleshooting low throughput for a business-critical application that is identified as web-browsing instead of the custom app. The firewall is in inline mode. Which THREE potential causes should be investigated?

Select 3 answers
A.SSL decryption is not enabled.
B.The application signature is outdated.
C.The custom application uses a non-standard port.
D.Application Override policy is incorrectly configured.
E.The firewall is in tap mode.
AnswersB, C, D

An outdated signature may not recognize the custom application.

Why this answer

Options A, B, and D are correct: An incorrectly configured Application Override policy could misdirect traffic, outdated application signatures may not recognize the custom app, and a non-standard port could cause the custom app to be misidentified as web-browsing. Option C is wrong because SSL decryption is not directly related to misidentification as web-browsing. Option E is wrong because tap mode is not relevant in inline mode.

114
Multi-Selecteasy

Which TWO configurations are required on a GlobalProtect portal to enable automatic tunnel configuration for macOS clients? (Choose two.)

Select 2 answers
A.GlobalProtect client package assigned to macOS
B.Enable Automatic Tunnel
C.Gateway IP Pool configured
D.PanGPS (Pan GlobalProtect Service) enabled
E.Specify a Tunnel Interface
AnswersB, E

This setting must be enabled in the portal to allow automatic tunnel configuration.

Why this answer

Options A and D are correct. The portal must have 'Enable Automatic Tunnel' checked and a tunnel interface specified for macOS clients to receive automatic tunnel settings. Option B (PanGPS) is a helper tool for GPS but not required for automatic tunnel.

Option C (client package) is needed to distribute the client, but not specifically for automatic tunnel configuration. Option E (Gateway IP pool) is a gateway setting, not portal.

115
MCQmedium

A company wants to forward logs from a firewall to a SIEM system with high reliability. Which log forwarding method ensures that logs are not lost if the SIEM is temporarily unreachable?

A.Email (SMTP) for each log.
B.Syslog over TCP with buffering enabled in the log forwarding profile.
C.Syslog over UDP with a log forwarding profile.
D.Syslog over SSL without optional buffering.
AnswerB

TCP provides reliable delivery, and buffering prevents loss during downtime.

Why this answer

Syslog over TCP with buffering enabled in the log forwarding profile ensures reliable delivery because TCP provides acknowledgment and retransmission of lost segments, while the buffering mechanism stores logs locally on the firewall when the SIEM is unreachable and retransmits them once connectivity is restored. This combination prevents log loss during temporary network or SIEM outages.

Exam trap

The trap here is that candidates often assume Syslog over TCP alone guarantees delivery, but without buffering enabled in the log forwarding profile, the firewall will drop logs if the TCP connection fails, making buffering the key differentiator for reliability.

How to eliminate wrong answers

Option A is wrong because email (SMTP) is not designed for high-volume, real-time log forwarding and can easily fail or queue indefinitely without reliable retransmission guarantees. Option C is wrong because Syslog over UDP is connectionless and inherently unreliable; logs are silently dropped if the SIEM is unreachable, with no buffering or retransmission. Option D is wrong because Syslog over SSL without optional buffering provides encryption but no local storage or retransmission mechanism; if the SIEM is unreachable, the TCP connection fails and logs are lost without buffering.

116
MCQeasy

An administrator needs to generate a report showing all traffic denied by the firewall over the past week. Which type of report in the firewall web interface should be used?

A.Application Report
B.Threat Report
C.URL Filtering Report
D.Traffic Report
AnswerD

Traffic Report allows filtering by action (allow/deny) to show denied traffic.

Why this answer

Option C is correct because the Traffic Report can be filtered by action (e.g., deny) to show denied traffic. Options A, B, and D are incorrect as they focus on specific categories like applications, threats, or URL filtering.

117
MCQhard

A firewall administrator notices that traffic from a specific subnet is being unexpectedly dropped. The firewall log shows a 'flow_drop' reason of 'packet too long for interface MTU'. The interface MTU is set to 1500, and the packets are 1500 bytes. What is the most likely cause?

A.The route lookup for the destination requires a larger MTU.
B.The firewall is not performing TCP MSS clamping on the traffic.
C.The firewall is using jumbo frames on the internal interface.
D.The packet is being encapsulated (e.g., IPsec) after routing, increasing its size beyond 1500 bytes.
AnswerD

Encapsulation adds headers; if the original packet is near MTU, the encapsulated packet exceeds it.

Why this answer

When a packet is encapsulated (e.g., by IPsec) after the routing decision, the original packet's size remains 1500 bytes, but the encapsulation adds overhead (e.g., IPsec ESP headers/trailers, typically 50–60 bytes). This causes the resulting frame to exceed the interface MTU of 1500, triggering a 'packet too long for interface MTU' drop. The firewall logs the drop at the physical interface after encapsulation, not before.

Exam trap

The trap here is that candidates assume the firewall drops the packet before encapsulation because the original packet matches the MTU, but the drop occurs after encapsulation adds overhead, making the final frame too large.

How to eliminate wrong answers

Option A is wrong because the route lookup determines the next hop and outgoing interface, but it does not change the packet size; a larger MTU on the route would not cause a drop of a 1500-byte packet on a 1500-MTU interface. Option B is wrong because TCP MSS clamping reduces the TCP segment size to avoid fragmentation, but the drop occurs after routing/encapsulation, and MSS clamping would not prevent the encapsulation overhead from exceeding the MTU. Option C is wrong because jumbo frames (typically >9000 bytes) on an internal interface would allow larger packets, not cause drops; the issue is on the egress interface where the MTU is 1500.

118
Drag & Dropmedium

Arrange the steps to deploy a new Panorama template to a managed firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Templates are created, populated, assigned, committed, and verified.

119
MCQeasy

A company wants to enforce multi-factor authentication (MFA) for all administrative access to the Palo Alto Networks firewall. They have a RADIUS server configured with MFA capability (e.g., RSA SecurID). The firewall is currently using local authentication for admin accounts. What must be configured to enforce MFA for admin access?

A.Create a security policy to allow RADIUS traffic from the firewall to the RADIUS server.
B.Enable MFA in the User-ID agent configuration.
C.Create an authentication profile using RADIUS with MFA enabled and assign it to the admin accounts.
D.Configure an authentication enforcement rule in the authentication policy.
AnswerC

The authentication profile defines how the firewall authenticates users. By using RADIUS with MFA, the firewall will prompt for the second factor.

Why this answer

Option A is correct because an authentication profile specifies the authentication method (RADIUS with MFA) and must be assigned to admin accounts. Options B, C, and D are not required for admin authentication.

120
MCQmedium

An engineer notices a decrease in network performance and wants to verify if a specific security policy is being triggered frequently. Which CLI command will show the hit count for a specific policy?

A.show security-rulebase
B.show rule-usage
C.show running security-policy hit-count
D.show running security-policy
AnswerC

This shows hit counts for all security policies, and can be filtered to a specific rule.

Why this answer

Option C is correct because the 'show running security-policy hit-count' command displays the hit count for each security policy rule, allowing the engineer to identify which specific policy is being triggered frequently. This command directly shows the number of times a rule has matched traffic, which is essential for diagnosing performance issues related to policy usage.

Exam trap

The trap here is that candidates may confuse 'show running security-policy' (which shows configuration) with 'show running security-policy hit-count' (which shows usage statistics), or they may incorrectly recall non-existent commands like 'show rule-usage' from other vendors.

How to eliminate wrong answers

Option A is wrong because 'show security-rulebase' is not a valid CLI command on Palo Alto Networks firewalls; the correct command to view the rulebase is 'show running security-policy'. Option B is wrong because 'show rule-usage' is not a valid command; the correct command to view rule usage statistics is 'show running security-policy hit-count'. Option D is wrong because 'show running security-policy' displays the current security policy configuration but does not include hit counts, so it cannot show how frequently a policy is triggered.

121
MCQeasy

Refer to the exhibit. What is the primary cause of the 'non-functional' state?

A.The configuration sync operation has failed
B.One firewall is not running
C.HA1 link failure between 10.1.1.1 and 10.1.1.2
D.The configuration on the two firewalls is not identical
AnswerD

Configuration mismatch directly causes non-functional state.

Why this answer

Option B is correct because the reason is 'configuration mismatch'. Option A is wrong because HA1 is up (communication between IPs works). Option C is wrong because the output shows both are running.

Option D is wrong because no sync failure is indicated, just mismatch.

122
MCQhard

A company has deployed a Palo Alto Networks firewall in an active/passive high-availability (HA) pair. The firewall uses BGP for dynamic routing with two upstream ISPs to provide load-balanced internet connectivity. After an HA failover event, the network team notices that outbound traffic from internal hosts is now using only one of the two ISPs, even though BGP sessions are established on both firewalls and the passive firewall has learned the same routes as the active one. The security policy permits all outbound traffic. No changes were made to the BGP configuration. Which of the following is the most likely cause of this behavior, and what is the appropriate solution?

A.The firewall's asymmetric routing detection is dropping traffic; disable asymmetric routing enforcement.
B.The HA configuration has ECMP disabled; enable ECMP in the dataplane settings on the active firewall.
C.The BGP configuration on the passive firewall is not identical to the active one; apply the same BGP configuration to both.
D.The passive firewall is not advertising routes to the ISPs because HA state synchronization is not enabled; enable state synchronization.
AnswerB

ECMP allows the firewall to use multiple equal-cost routes for load balancing; it must be enabled.

Why this answer

Option C is correct because ECMP (Equal Cost Multi-Path) routing must be enabled on the active firewall to use multiple BGP-learned default routes for load balancing. After failover, if ECMP is disabled, only one best path is installed, causing traffic to use a single ISP. Option A is incorrect because state synchronization deals with session state, not routing decisions.

Option B is incorrect because the passive firewall's BGP configuration does not affect routing on the active firewall unless it becomes active. Option D is incorrect because asymmetric routing detection would affect return traffic, not the outbound path selection.

123
Multi-Selecteasy

Which TWO authentication methods are supported for captive portal on a Palo Alto Networks firewall?

Select 2 answers
A.SAML
B.TACACS+
C.RADIUS
D.Local Database
E.Kerberos
AnswersA, C

SAML is supported for captive portal from PAN-OS 10.0 onwards.

Why this answer

SAML and RADIUS are supported for captive portal authentication. Kerberos is not a direct method for captive portal; TACACS+ is not supported; Local database is supported but not listed as an option here? Actually local database is supported but we only need two correct: SAML and RADIUS.

124
MCQmedium

An engineer notices that after an HA failover, the new active firewall is not passing traffic. The show running ip route command shows the default route is missing. What is the most likely cause?

A.Floating static routes were not configured on the passive firewall.
B.Static routes were not synchronized.
C.OSPF routes were not synchronized.
D.BGP routes were not synchronized.
AnswerA

Floating static routes are not synchronized and must be configured on both firewalls.

Why this answer

In an active/passive HA pair, static routes are not automatically synchronized from the active to the passive firewall. The passive firewall must have its own static routes configured, often as floating static routes with a higher administrative distance to avoid conflicts during normal operation. When a failover occurs, the new active firewall (formerly passive) lacks the default route because it was never configured or synchronized, causing traffic to fail.

Exam trap

The trap here is that candidates assume all routes are synchronized in HA, but PAN-OS only synchronizes dynamic routing protocol states and not static route configuration, requiring explicit configuration on both peers.

How to eliminate wrong answers

Option B is wrong because static routes are not synchronized by default in PAN-OS HA; they must be configured independently on each peer. Option C is wrong because OSPF routes are dynamically learned and would be re-established after failover via neighbor adjacencies, not missing due to synchronization issues. Option D is wrong because BGP routes are also dynamically learned and would be re-established via BGP sessions after failover, not missing from a synchronization failure.

125
MCQhard

An organization needs to enforce authentication for application-based policies. Users are in multiple AD groups. Which authentication enforcement method best scales and minimizes administrative overhead?

A.Single Sign-On with Kerberos
B.Captive Portal with RADIUS
C.SSL Decryption with User-ID
D.GlobalProtect with client certificate
E.Authentication Policy with user group mapping
AnswerE

Authentication Policy can match source-user groups from LDAP, scaling easily with group membership.

Why this answer

Option E is correct because Authentication Policy with user group mapping allows group-based authentication enforcement without modifying security policies. Option A is incorrect because SSO with Kerberos requires Kerberos realm configuration and may not scale well. Option B is incorrect because Captive Portal with RADIUS requires per-user configuration.

Option C is incorrect because GlobalProtect with client certificate requires client deployment overhead. Option D is incorrect because SSL decryption does not enforce authentication.

126
Drag & Dropmedium

Order the steps to capture traffic on a Palo Alto Networks firewall using the packet capture feature.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Packet capture involves filter setup, traffic generation, and download.

127
MCQhard

Refer to the exhibit. A firewall administrator created a local user group named 'Engineering' and added two users. However, when applying a security policy that uses this group as the source user, only one user (asmith) is matched correctly. What is the most likely cause of this issue?

A.The group should be configured as 'local' and the users should be added manually via CLI.
B.The user-id agent timeout is too short; increase the timeout value.
C.The group type is set to 'local' but the users are sourced from LDAP; change the group type to 'ldap'.
D.The group must be imported from LDAP as a dynamic group.
AnswerC

Correct: The group type should match the source of the users. Local groups expect locally defined users; LDAP-sourced users require the group type to be 'ldap'.

Why this answer

When a local user group is created on the firewall, the group type must match the source of its members. If the group type is set to 'local', the firewall expects the users to be defined locally on the firewall itself. However, if the users are actually sourced from an external LDAP directory, the group type must be changed to 'ldap' so that the firewall queries the LDAP server for group membership.

The mismatch causes the firewall to fail to resolve the LDAP users as members of the local group, resulting in only locally defined users (like asmith) being matched correctly.

Exam trap

The trap here is that candidates assume adding LDAP usernames to a local group will work because the usernames are known, but they overlook that the group type must match the authentication source for the firewall to correctly resolve group membership.

How to eliminate wrong answers

Option A is wrong because local groups and users are already created via the GUI or CLI; the issue is not about the method of creation but about the group type mismatch. Option B is wrong because the user-id agent timeout affects how long user mappings are cached, not whether LDAP users are recognized as members of a local group. Option D is wrong because the group does not need to be imported as a dynamic group; static LDAP groups can be used by simply setting the group type to 'ldap' and referencing the LDAP group name.

128
MCQmedium

A security policy has an application list with 'facebook-chat' and 'facebook-base'. A user reports that Facebook messages are being blocked. The firewall logs show the application as 'facebook-base' but not as 'facebook-chat'. What is the most likely reason?

A.The App-ID signature for 'facebook-chat' is outdated.
B.The application 'facebook-chat' is a dependency that is not allowed in the policy.
C.The firewall is blocking the application 'facebook-chat' due to content filtering.
D.The traffic is using a non-standard port for chat.
AnswerB

Dependent apps must be allowed explicitly or using application group.

Why this answer

Option A is correct because 'facebook-chat' is a dependent application of 'facebook-base'; if the policy only allows 'facebook-base', the dependency may not be automatically included. Option B is wrong because signature updates are not the cause. Option C is wrong because ports are not the issue.

Option D is wrong because blocking is not causing missing application.

129
Multi-Selecthard

During a security incident, an analyst notices that certain malware traffic is using port 443 but is being identified as 'ssl'. The malware uses a unique handshake that differs from standard SSL. Which two actions should the analyst take to correctly identify and block this malware? (Choose two.)

Select 2 answers
A.Add the custom application to a security rule with action Deny.
B.Disable SSL decryption on the firewall.
C.Create a custom application signature that matches the malware handshake.
D.Create a decryption policy to forward proxy decrypt the traffic.
E.Create an application override rule that forces identification as the custom application.
AnswersC, E

Correct: This enables the firewall to recognize the malware traffic.

Why this answer

First, create a custom application signature that matches the malware handshake. Then, apply an application override to force the firewall to use that signature instead of the default 'ssl' identification. After identification, the malware can be blocked via a security rule, but the question focuses on identification.

130
MCQeasy

A company needs to deploy a firewall in transparent inline mode to filter traffic between two switches without requiring any IP address changes on existing devices. Which interface type should be configured?

A.Virtual Wire
B.Tap
C.Layer3
D.Layer2
AnswerA

Virtual Wire bridges two ports without IP, providing transparent inline inspection.

Why this answer

Virtual Wire (VWire) is the correct interface type because it allows the firewall to operate in transparent inline mode without requiring any IP address changes on existing devices. In VWire mode, the firewall acts as a Layer 2 bump in the wire, forwarding traffic between two interfaces based on MAC addresses without participating in routing or requiring IP configuration on the firewall interfaces themselves.

Exam trap

The trap here is that candidates confuse Layer2 interfaces with Virtual Wire, assuming any transparent mode works the same, but Layer2 interfaces require bridge groups or VLAN configuration and do not provide the same zero-touch inline deployment as Virtual Wire.

How to eliminate wrong answers

Option B (Tap) is wrong because a Tap interface is used for passive monitoring only; it receives a copy of traffic but cannot actively filter or block traffic inline between switches. Option C (Layer3) is wrong because Layer3 interfaces require IP addresses and routing, which would necessitate IP address changes on existing devices and break the transparent requirement. Option D (Layer2) is wrong because while Layer2 interfaces can operate transparently, they require a VLAN tag or bridge configuration and do not inherently provide the same zero-configuration, bump-in-the-wire behavior as Virtual Wire, which is specifically designed for transparent inline deployment without any IP or VLAN changes.

131
MCQeasy

Refer to the exhibit. A user with IP 10.1.1.100 from the internal zone is trying to access http://203.0.113.1. What will the firewall do?

A.Drop the traffic because no rule matches.
B.Allow the traffic because rule 2 matches.
C.Reset the traffic because of rule 1.
D.Deny the traffic because rule 1 matches first.
AnswerD

Rule 1 has source 10.0.0.0/8 which includes 10.1.1.100, so it matches first and denies the traffic.

Why this answer

Option D is correct because the firewall processes security rules in top-down order. Rule 1 explicitly denies traffic from the internal zone to the destination zone 'untrust-L3' for destination IP 203.0.113.1, which matches the user's traffic. Since rule 1 is matched first, the firewall denies the traffic and does not evaluate subsequent rules.

Exam trap

The trap here is that candidates often assume the firewall will continue to evaluate subsequent rules (like rule 2) after a match, but the first-match logic means rule 1's deny action is applied immediately, preventing any further rule evaluation.

How to eliminate wrong answers

Option A is wrong because a rule does match (rule 1), so the traffic is not dropped due to a lack of matching rules. Option B is wrong because rule 2 would only be evaluated if rule 1 did not match; however, rule 1 matches first and denies the traffic, so rule 2 is never reached. Option C is wrong because rule 1 is configured to deny the traffic, not reset it; a reset action would require a specific 'reset' action in the rule, which is not indicated.

132
MCQhard

A firewall receives traffic with IP options enabled. How does the firewall handle this traffic by default?

A.It drops the traffic
B.It forwards the traffic normally
C.It logs and alerts
D.It strips the IP options and forwards
AnswerA

This is the default security behavior to prevent potential attacks using IP options.

Why this answer

By default, Palo Alto Networks firewalls drop traffic with IP options enabled because IP options can be used to bypass security controls or evade inspection. The firewall treats such packets as a potential security risk and discards them to prevent IP option-based attacks, such as source routing or timestamp manipulation.

Exam trap

The trap here is that candidates may assume the firewall forwards or strips IP options like a router, but Palo Alto Networks firewalls prioritize security by default and drop such packets to prevent IP option-based attacks.

How to eliminate wrong answers

Option B is wrong because forwarding traffic with IP options normally would allow potential evasion of security policies and is not the default behavior. Option C is wrong because while logging and alerting may be configured, the default action is to drop, not just log. Option D is wrong because stripping IP options and forwarding is not a default behavior; the firewall does not modify IP headers by default and instead drops the packet.

133
MCQhard

A threat log entry shows a threat detected in SSL traffic to 10.0.0.5, which is a server in the internal network. However, the decryption policy has a rule to no-decrypt traffic to 10.0.0.0/8 from internal sources. What is the most likely reason the threat was detected?

A.The decryption policy rule order is incorrect; the 'No-Decrypt-Internal' rule should be after the 'Decrypt-All' rule.
B.The threat was detected in decrypted traffic because the source was external.
C.The threat log is misconfigured.
D.The security policy is blocking the traffic before decryption.
AnswerB

Correct: The source is likely external, so the traffic is decrypted by rule 2, and the threat profile detected it.

Why this answer

The 'No-Decrypt-Internal' rule applies only to source addresses in 192.168.0.0/16. If the source of the traffic is not within that range (e.g., external), then the traffic to 10.0.0.5 matches the 'Decrypt-All' rule and is decrypted, allowing threat detection.

134
MCQmedium

Based on the exhibit, what is the impact of the current HA state on the network?

A.Configuration changes are not synchronized
B.The passive firewall will preempt the active when the active fails
C.Sessions will not be preserved during a failover
D.The HA pair cannot perform a failover
AnswerC

Session sync is not synchronized due to HA2 down.

Why this answer

Option C is correct. The HA2 link is down, causing session synchronization to be not synchronized. Traffic continues to flow through the active firewall, but sessions will not be maintained during a failover.

Option A is wrong because HA1 is up so control traffic works. Option B is wrong because configuration sync is synchronized. Option D is wrong because preemptive is disabled.

135
MCQeasy

A company is deploying a Palo Alto Networks firewall in an existing Layer 2 switched environment. They need to inspect traffic between VLAN 10 and VLAN 20 without changing the IP addresses of hosts and without performing any routing. Which firewall mode should be used?

A.Virtual Wire
B.Tap mode
C.Transparent (Layer 2)
D.Layer 3
AnswerC

Correct. Transparent mode bridges VLANs at Layer 2, enabling inspection without IP changes.

Why this answer

Option C is correct because Transparent (Layer 2) mode allows the firewall to operate as a Layer 2 bridge, inspecting traffic between VLAN 10 and VLAN 20 without requiring any IP address changes or routing. The firewall forwards frames based on MAC addresses, preserving the existing IP subnet and host configurations, which is ideal for inserting security into an existing switched environment.

Exam trap

The trap here is that candidates often confuse Virtual Wire mode with Transparent mode, assuming Virtual Wire can handle VLANs, but Virtual Wire does not support VLAN subinterfaces or inter-VLAN inspection, making it unsuitable for this requirement.

How to eliminate wrong answers

Option A is wrong because Virtual Wire mode operates without any VLAN or MAC learning, passing traffic as a simple bump in the wire without the ability to inspect inter-VLAN traffic; it requires the firewall to be placed between two interfaces without any Layer 2 switching or VLAN segmentation. Option B is wrong because Tap mode only copies traffic for monitoring and does not allow the firewall to enforce security policies inline; it cannot block or modify traffic between VLANs. Option D is wrong because Layer 3 mode requires the firewall to perform routing between subnets, which would necessitate changing host IP addresses or default gateways, contradicting the requirement to avoid routing and IP changes.

136
Multi-Selecthard

Which two are prerequisites for deploying a Palo Alto Networks firewall in a high-availability active/passive pair? (Choose two.)

Select 2 answers
A.Both firewalls must have identical licenses.
B.Both firewalls must be the same hardware model.
C.Both firewalls must be in the same data center.
D.Both firewalls must have the same PAN-OS version.
E.The firewalls must be directly connected via a crossover cable for HA1.
AnswersB, D

Same model ensures compatibility for HA.

Why this answer

Option B is correct because Palo Alto Networks high-availability (HA) active/passive pairs require both firewalls to be the same hardware model to ensure identical processing capabilities and interface configurations. Option D is correct because both firewalls must run the same PAN-OS version to maintain configuration synchronization and stateful failover compatibility; version mismatches can cause HA session sync failures or unexpected behavior.

Exam trap

The trap here is that candidates often assume a direct crossover cable is required for HA1, but Palo Alto Networks supports HA1 over any routable Layer 3 interface, including through switches, making option E a common distractor.

137
MCQmedium

A company has a firewall with multiple virtual systems (vsys). The administrator wants to delegate management of one vsys to a junior administrator, allowing them to configure security policies but not access system settings or other vsys. Which administrative role should be assigned?

A.Virtual System Admin
B.Superuser
C.Device Admin
D.Role-Based Admin
AnswerA

Vsys admin can be scoped to a specific vsys with limited permissions.

Why this answer

A Virtual System Admin role is specifically designed to delegate administrative access to a single virtual system (vsys) within a Palo Alto Networks firewall. This role allows the junior administrator to configure security policies and objects within their assigned vsys, while explicitly preventing access to system settings, device-level configurations, or other virtual systems. This matches the requirement exactly.

Exam trap

The trap here is that candidates often confuse 'Virtual System Admin' with 'Role-Based Admin', thinking they need to create a custom role, when the predefined Virtual System Admin role is the exact fit for delegating per-vsys management.

How to eliminate wrong answers

Option B (Superuser) is wrong because a Superuser has full read-write access to all virtual systems and all system settings, which would grant the junior administrator access to other vsys and device-level configurations, violating the requirement. Option C (Device Admin) is wrong because a Device Admin has full access to the device's system settings and all virtual systems, again providing broader access than intended. Option D (Role-Based Admin) is wrong because it is a generic category for custom roles, but the specific predefined role that matches the requirement is Virtual System Admin; assigning a custom Role-Based Admin would require manually creating a role with the exact permissions, which is less direct and not the standard answer for this scenario.

138
MCQhard

An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?

A.The GlobalProtect app's cookie integrity is corrupted.
B.The IKE gateway's rekey lifetime is shorter than the IPSec security association lifetime.
C.The GlobalProtect client needs to be reinstalled.
D.The user-id agent is not resolving usernames correctly.
AnswerB

If the IKE rekey lifetime expires before the IPSec SA, the tunnel may be torn down unexpectedly.

Why this answer

The 'Tunnel rekey failed' error indicates that the IPsec security association (SA) rekey process failed. This most commonly occurs when the IKE gateway's rekey lifetime is shorter than the IPsec SA lifetime, causing the IKE phase 1 SA to expire before the IPsec phase 2 SA can be rekeyed. As a result, the tunnel drops and the client disconnects.

Exam trap

The trap here is that candidates often assume client-side issues (like app corruption or reinstallation) are the cause, when the error is clearly a gateway-side IPsec rekey misconfiguration.

How to eliminate wrong answers

Option A is wrong because cookie integrity corruption would cause authentication or session validation failures, not a rekey failure during IPsec SA renewal. Option C is wrong because reinstalling the client would not resolve a misconfiguration in the gateway's IKE or IPsec lifetime settings; the issue is on the server side. Option D is wrong because the user-id agent's inability to resolve usernames affects user mapping and policy enforcement, not the IPsec tunnel rekey process.

139
MCQeasy

A firewall administrator needs to ensure that traffic matching a specific security policy rule is always logged to Panorama even if the local firewall's management plane is temporarily unreachable. Which configuration should be used?

A.Set the rule to 'Log at Session End' and use 'Log Forwarding' with 'Enhanced Application Logging'.
B.Configure a 'Log Forwarding' profile with 'Buffering' enabled.
C.Configure 'Log Forwarding' with 'Override' to send logs directly to a syslog server.
D.Use the 'High Availability' feature with active/passive.
AnswerB

Buffering queues logs locally and sends them when connectivity with Panorama is restored.

Why this answer

Option C is correct because enabling 'Buffering' in the log forwarding profile stores logs locally when Panorama is unreachable and forwards them once connectivity is restored. Options A and B do not address unreachability. Option D (syslog) is independent but still requires connectivity.

140
MCQmedium

During an HA failover, the new active firewall's session table is empty, causing all existing connections to be dropped. Which configuration change would prevent this?

A.Configure HA3 for stateful inspection.
B.Increase HA1 keepalive timer.
C.Enable config sync on HA1.
D.Enable session sync on HA2.
AnswerD

Session sync ensures sessions are replicated to the passive firewall.

Why this answer

Option D is correct because enabling session sync on the HA2 link ensures that session state information is continuously replicated from the active firewall to the standby firewall. During a failover, the new active firewall already has the session table populated, so existing connections are preserved and not dropped. Without session sync, the standby firewall starts with an empty session table, causing all existing TCP/UDP sessions to be torn down.

Exam trap

The trap here is confusing configuration synchronization (config sync) with session state synchronization (session sync), leading candidates to incorrectly select config sync on HA1 as the solution for preserving active connections during failover.

How to eliminate wrong answers

Option A is wrong because HA3 is the management link used for control-plane traffic like configuration synchronization and keepalives, not for session state synchronization; stateful inspection is a firewall feature unrelated to HA session sync. Option B is wrong because increasing the HA1 keepalive timer only affects how quickly the firewall detects a peer failure, but does not prevent session loss after failover; it may actually delay failover detection. Option C is wrong because config sync on HA1 synchronizes configuration objects (policies, objects) between peers, not dynamic session state; session tables are not part of configuration sync.

141
MCQmedium

Refer to the exhibit. A user in the trust zone attempts to access HTTPS to an external server. Which rule will match?

A.rule4
B.rule3
C.rule1
D.rule2
AnswerD

Rule2 allows SSL for anyone, so it matches the HTTPS traffic.

Why this answer

Rule2 is correct because it is the first rule in the security policy that matches the traffic from the trust zone (source zone trust) to the external server (destination zone untrust) for HTTPS (destination port 443). Palo Alto Networks firewalls evaluate rules in top-down order, and rule2 explicitly permits HTTPS traffic from trust to untrust, while rule1 only permits HTTP (port 80). Rule3 and rule4 do not match because they are either for different zones or deny the traffic.

Exam trap

Palo Alto Networks often tests the first-match rule evaluation order, where candidates mistakenly think a deny rule later in the policy (rule4) will block traffic, forgetting that a preceding permit rule (rule2) already matched and allowed the session.

How to eliminate wrong answers

Option A is wrong because rule4 denies all traffic from trust to untrust, but since rule2 matches first and permits the HTTPS traffic, rule4 is never evaluated. Option B is wrong because rule3 applies to traffic from the DMZ zone, not the trust zone, so it does not match the user's traffic. Option C is wrong because rule1 only permits HTTP (port 80), not HTTPS (port 443), so it does not match the HTTPS request.

142
Multi-Selecteasy

Which TWO types of traffic should typically be excluded from SSL decryption for compliance or operational reasons? (Choose two.)

Select 2 answers
A.Traffic to social media websites.
B.Traffic between internal data center servers.
C.Traffic to healthcare portals and electronic medical records.
D.Traffic to financial services websites (e.g., banking, investment).
E.Traffic to external email services (e.g., Gmail).
AnswersC, D

HIPAA and other regulations may restrict decryption.

Why this answer

Options A and C are correct because financial and healthcare traffic often have regulatory compliance requirements. Option B is wrong because social media is typically low-risk. Option D is wrong because bank traffic is often financial.

Option E is wrong because internal corporate traffic can be decrypted.

143
MCQhard

Refer to the exhibit. A packet from 10.0.0.5 to 8.8.8.8 on TCP port 443 (HTTPS) arrives. Source zone is trust, destination zone is untrust. The packet is dropped. What is the most likely reason?

A.The service 'application-default' does not allow TCP port 443.
B.The packet is not logged properly.
C.The destination IP is not routable in the virtual router.
D.The rule requires application 'web-browsing', but the traffic is identified as 'ssl', causing a mismatch and drop.
AnswerD

The firewall matches the application after identification; if it does not match the rule, the packet is dropped.

Why this answer

Option D is correct because the security rule requires the application 'web-browsing' (HTTP), but the traffic is HTTPS (TCP 443), which is identified as 'ssl' by the Palo Alto Networks firewall. The firewall performs App-ID inspection, and if the application does not match the rule's application condition, the packet is dropped, even if the port matches.

Exam trap

The trap here is that candidates assume a port-based rule (TCP 443) will allow HTTPS traffic, but Palo Alto Networks firewalls require the application to match the rule's application object, not just the port, so a rule allowing 'web-browsing' will drop HTTPS traffic identified as 'ssl'.

How to eliminate wrong answers

Option A is wrong because 'application-default' is a service setting that restricts the port to the default port for the application; for 'ssl', TCP 443 is the default, so it would allow the traffic if the application matched. Option B is wrong because logging is a reporting feature and does not cause a packet drop; a packet is dropped due to a security rule or policy, not logging configuration. Option C is wrong because 8.8.8.8 is a public IP and is routable in the virtual router unless a static or default route is missing; the question states the packet is dropped by a rule, not a routing issue.

144
MCQeasy

An administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?

A.The remote users' computers are not domain-joined.
B.The external gateway is not configured for Kerberos authentication.
C.The authentication profile is not configured on the gateway.
D.The GlobalProtect gateway certificate is not trusted by the client.
AnswerA

Kerberos authentication requires the client to be domain-joined to obtain a ticket.

Why this answer

Kerberos authentication relies on the client being a member of the Active Directory domain to obtain a ticket-granting ticket (TGT) from the Key Distribution Center (KDC). Remote users whose computers are not domain-joined cannot acquire or present Kerberos tickets, causing authentication to fail. This is the most common reason for connection failures when Kerberos is used for GlobalProtect portal authentication.

Exam trap

The trap here is that candidates may assume Kerberos authentication can be used for external gateways or that the issue is certificate-related, but the key is understanding that Kerberos requires domain membership and cannot work for non-domain-joined remote clients.

How to eliminate wrong answers

Option B is wrong because the external gateway does not perform Kerberos authentication; Kerberos authentication is handled by the portal, and the gateway uses the authentication cookie issued by the portal after successful authentication. Option C is wrong because the authentication profile is configured on the portal, not the gateway; the gateway relies on the portal to validate the user and does not require its own authentication profile for Kerberos. Option D is wrong because while an untrusted gateway certificate can cause connection issues, it would typically produce a certificate warning or error, not a Kerberos authentication failure; the scenario specifically points to Kerberos authentication as the root cause.

145
MCQhard

A company needs to authenticate remote users accessing internal web applications via GlobalProtect portal and wants to use SAML with Azure AD for MFA. Which component must be configured on the firewall?

A.LDAP server profile for user lookup
B.Server certificate for the portal
C.Authentication profile referencing the SAML IdP profile
D.SSL decryption rule
AnswerC

The authentication profile defines the method (SAML) and must include the IdP profile.

Why this answer

Option C is correct because an Authentication Profile referencing the SAML IdP profile is mandatory for the portal to use SAML. Option A is incorrect because SSL decryption is not required for SAML. Option B is incorrect while a certificate is needed for the portal, it is not specific to SAML.

Option D is incorrect because LDAP server profile is for LDAP, not SAML.

146
MCQmedium

An engineer is troubleshooting a security policy that is not matching traffic as expected. The traffic is from source IP 10.1.1.10 to destination 172.16.0.1 port 443. The policy has source zone 'Internal', destination zone 'DMZ', source address '10.1.1.0/24', destination address '172.16.0.0/24', application 'ssl'. The firewall shows the traffic hitting a different rule. What is the most likely cause?

A.The source zone is incorrectly assigned; traffic is coming from a different zone.
B.The destination address is not in the specified subnet due to NAT.
C.The application 'ssl' does not match because the traffic is actually using TLS 1.3.
D.The traffic is being matched by an earlier rule with broader criteria.
AnswerD

Rule order matters; a prior rule with broader source/destination/application may match before the intended rule.

Why this answer

The most likely cause is that an earlier rule in the security policy rulebase matches the traffic before the intended rule. Palo Alto Networks firewalls evaluate security rules in sequential order from top to bottom, and the first rule that matches all criteria (source/destination zone, source/destination address, application, etc.) is applied. If a rule with broader criteria (e.g., any/any or a less specific application) appears earlier, it will match the traffic, preventing the intended rule from being hit.

Exam trap

Palo Alto Networks often tests the misconception that application signatures are version-specific (e.g., TLS 1.3 vs. SSL), but Palo Alto Networks uses generic application signatures that match all versions of a protocol, so candidates incorrectly eliminate the correct answer due to a misunderstanding of application identification.

How to eliminate wrong answers

Option A is wrong because the traffic is from source IP 10.1.1.10, which is within the 10.1.1.0/24 subnet, and the policy specifies source zone 'Internal'; if the zone were incorrectly assigned, the traffic would not match any rule with that zone, but the firewall shows it hitting a different rule, not failing to match. Option B is wrong because NAT does not change the destination address in the security policy match; the firewall evaluates the pre-NAT destination address (172.16.0.1) against the destination address object (172.16.0.0/24), and 172.16.0.1 is within that subnet, so this is not a mismatch. Option C is wrong because the application 'ssl' in Palo Alto Networks is a generic signature that matches SSL/TLS traffic regardless of the TLS version (e.g., TLS 1.3), as the firewall identifies the application by protocol behavior and handshake patterns, not by the specific TLS version number.

147
MCQmedium

After upgrading a PA-5250 from PAN-OS 9.1 to PAN-OS 10.1, the firewall fails to establish IPsec VPN tunnels with remote peers. The crypto profiles and IKE gateways appear unchanged. What is the most likely cause?

A.The default SSL/TLS service profile changed, affecting management access.
B.The IKEv2 default configuration now requires a pre-shared key minimum length of 32 characters.
C.The upgrade reset the IKE gateway configuration to default.
D.The firewall's management IP address changed during the upgrade.
AnswerB

PAN-OS 10.1 enforces a minimum PSK length of 32 characters for IKEv2; shorter keys cause negotiation failure.

Why this answer

In PAN-OS 10.1, the default minimum pre-shared key length for IKEv2 was increased to 32 characters. If the existing PSK is shorter than 32 characters, the firewall will reject it during IKE negotiation, causing the tunnel to fail even though the crypto profiles and IKE gateways appear unchanged. This is a common compatibility issue when upgrading from PAN-OS 9.1, which had no such minimum length requirement.

Exam trap

The trap here is that candidates assume unchanged crypto profiles and IKE gateways mean no configuration issue, overlooking the silent enforcement of a new default PSK length requirement introduced in PAN-OS 10.1.

How to eliminate wrong answers

Option A is wrong because the default SSL/TLS service profile affects management access (e.g., web UI, API), not IPsec VPN tunnel establishment, which is a data-plane function. Option C is wrong because the upgrade does not reset IKE gateway configurations to default; the configuration is preserved during a standard upgrade. Option D is wrong because the management IP address is a separate configuration that does not change during an upgrade unless explicitly modified, and it does not impact IPsec VPN tunnel establishment with remote peers.

148
MCQhard

Two firewalls in an active/passive HA configuration are not synchronizing sessions. The 'show high-availability state' command shows both peers as 'active' and 'passive' correctly, but session synchronization is not working. What is the most likely cause?

A.The HA3 link is not configured or is misconfigured.
B.The HA2 link is down.
C.The passive firewall does not have management API access.
D.The logging settings on both firewalls are different.
AnswerA

Session synchronization requires a properly configured HA3 link (packet forwarding link).

Why this answer

In an active/passive HA configuration, session synchronization occurs over the HA2 link (control link) and HA3 link (packet forwarding link). The HA3 link is specifically responsible for synchronizing session tables between the peers. If the HA3 link is not configured or is misconfigured, session synchronization will fail even though the HA state shows 'active' and 'passive' correctly.

The HA2 link handles keepalives and configuration sync, not session sync, so its status being up does not guarantee session synchronization.

Exam trap

The trap here is that candidates often confuse the HA2 link (control link) with the HA3 link (session sync link), assuming that if HA state is correct and HA2 is up, session synchronization must also be working.

How to eliminate wrong answers

Option B is wrong because the HA2 link is used for control traffic (keepalives, configuration sync) and not for session synchronization; a down HA2 link would cause HA state issues, not just session sync failure. Option C is wrong because management API access on the passive firewall is unrelated to session synchronization; it controls administrative access, not data-plane session replication. Option D is wrong because differing logging settings between firewalls do not impact session synchronization; logging is a separate function from session table replication.

149
MCQeasy

A firewall shows session logs with application 'incomplete' for many SSL connections. Which action should be taken to improve App-ID accuracy?

A.Disable application identification for SSL traffic.
B.Enable HTTP/2 protocol decoding.
C.Enable SSL decryption for the traffic.
D.Allow sessions with application 'incomplete' in policy.
AnswerC

Decryption reveals the underlying application.

Why this answer

Option A is correct because SSL decryption allows the firewall to inspect encrypted content, improving application identification. Option B is wrong because allowing incomplete sessions does not improve accuracy. Option C is wrong because disabling security policies is not necessary.

Option D is wrong because enabling HTTP/2 is not directly relevant.

150
MCQhard

A security engineer is troubleshooting a connectivity issue where traffic from a specific internal host is allowed by security policy but fails to establish a connection to an external server. The firewall logs show the session was created, but no response packets are seen. What is the most likely cause?

A.The destination NAT is configured incorrectly.
B.The security policy is missing the return traffic rule.
C.The firewall is in FIPS mode.
D.The source NAT is not configured.
AnswerD

Without source NAT, the packet's source IP remains private, and the server replies to that private IP, which may not return to the firewall.

Why this answer

When traffic from an internal host is allowed by security policy and the session is created but no response packets are seen, the most likely cause is that source NAT (also known as outbound NAT or PAT) is not configured. Without source NAT, the firewall forwards the packet with the internal private IP address as the source, and the external server sends responses back to that private address, which is not routable over the public internet. The firewall sees the session as created because it matched the security policy and forwarded the initial packet, but the return traffic never reaches the firewall, so no response packets are logged.

Exam trap

The trap here is that candidates often assume a session being 'created' means the connection is fully established, but in Palo Alto Networks, a session is created as soon as the first packet matches a security rule, even if NAT is not configured, leading to the misconception that the issue must be a missing return traffic rule or a routing problem.

How to eliminate wrong answers

Option A is wrong because destination NAT is used to translate the destination IP address (typically for inbound traffic to internal servers), not for outbound traffic from an internal host to an external server; misconfigured destination NAT would affect how the firewall forwards the initial packet, but the symptom here is missing response packets, not a failure to create the session. Option B is wrong because Palo Alto Networks firewalls use a stateful inspection model where return traffic is automatically allowed if the session was created by a security policy rule; there is no need for a separate return traffic rule, so missing one is not a valid concept. Option C is wrong because FIPS mode enforces cryptographic standards and disables non-approved algorithms, but it does not prevent the firewall from performing source NAT or forwarding packets; if the session was created, FIPS mode is not the cause of missing response packets.

Page 1

Page 2 of 7

Page 3

All pages