Palo Alto Networks Certified Network Security Engineer PCNSE (PCNSE) — Questions 301375

516 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Multi-Selectmedium

When troubleshooting an authentication issue where users are not prompted for credentials, which two logs or commands would be most useful? (Choose two.)

Select 2 answers
A.less mp-log authd.log
B.show running security-policy
C.show user user-id count
D.show authentication rule matching traffic from the user's IP
E.show system resources
AnswersA, D

This log file contains detailed authentication daemon messages including failures and mismatches.

Why this answer

'show authentication rule matching traffic from the user's IP' (B) checks if the authentication rule triggers for the traffic, and 'less mp-log authd.log' (C) shows detailed authentication server interaction. Options A, D, E are less direct.

302
Multi-Selectmedium

Which TWO are common causes of session drops after the initial handshake? (Choose two.)

Select 2 answers
A.TCP sequence number mismatch due to packet reordering
B.Firewall interface speed mismatch
C.Security policy change after session creation
D.DNS resolution failure
E.Asymmetric routing
AnswersA, E

Reordering can cause the firewall to drop packets as out-of-state.

Why this answer

Asymmetric routing and TCP sequence number mismatch are common causes of session drops after the handshake.

303
MCQeasy

A network administrator notices that traffic logs are not being sent to the external Syslog server. The log forwarding profile is configured correctly. Which CLI command should be used to verify the Syslog server connectivity from the firewall?

A.show log forwarding
B.show system setting
C.test syslog
D.ping <syslog_server_ip>
AnswerC

This command sends a test Syslog message to confirm reachability and configuration.

Why this answer

The 'test syslog' command is specifically designed to verify Syslog server connectivity from the firewall by sending a test message and confirming receipt. Even if the log forwarding profile is correctly configured, network issues or server unavailability can prevent logs from being sent, and this command directly tests the Syslog transport (UDP 514 or TCP 6514) without relying on other services.

Exam trap

The trap here is that candidates confuse basic network connectivity (ping) with application-layer service verification, assuming a successful ping means Syslog will work, but Syslog requires the specific port to be open and the service to be running.

How to eliminate wrong answers

Option A is wrong because 'show log forwarding' displays the log forwarding profile configuration (e.g., server IP, port, format) but does not actively test connectivity or send a test message. Option B is wrong because 'show system setting' shows general system parameters (e.g., hostname, time zone) and has no capability to test Syslog server reachability. Option D is wrong because 'ping' tests ICMP echo requests to the server IP, which only verifies basic network layer reachability; it does not confirm that the Syslog service (UDP/TCP port) is listening or that the firewall can send Syslog messages to it.

304
MCQmedium

A security administrator configures a new network template in Panorama and assigns it to a template stack. The template stack is associated with a device group containing several firewalls. After committing the Panorama configuration and pushing to devices, some firewalls in the device group do not have the new template settings. What is the most likely cause?

A.The firewalls that are not receiving the template are not included in the same template stack.
B.The device group has not been committed.
C.The firewalls are not licensed for Panorama management.
D.The template is in 'preview' mode.
AnswerA

Correct. A template stack groups firewalls that share the same template configurations.

Why this answer

In Panorama, templates are assigned to template stacks, and template stacks are then assigned to specific firewalls. If a firewall does not belong to the template stack that contains the new template, it will not receive those settings, regardless of its membership in the device group. Device groups manage policy objects and rules, not network configuration templates.

Exam trap

The trap here is that candidates often confuse device groups (which manage policy) with template stacks (which manage network configuration), assuming that membership in a device group automatically applies all associated templates.

How to eliminate wrong answers

Option B is wrong because the device group commit is separate from template commit; templates are committed as part of the Panorama configuration push, and a missing device group commit would affect policy, not template settings. Option C is wrong because Panorama management does not require a separate license for firewalls; it is a built-in capability of the firewall platform. Option D is wrong because Panorama does not have a 'preview' mode for templates; templates are either committed or not, and preview is a concept for policy rules, not network templates.

305
MCQmedium

What does the session state 'SYN_SENT' indicate about this traffic flow?

A.The session has been torn down by the server.
B.The firewall has sent a SYN packet and is waiting for a response.
C.The traffic is being dropped due to asymmetric routing.
D.The application has been identified as incomplete.
AnswerB

SYN_SENT indicates the firewall is in the process of opening a connection.

Why this answer

The SYN_SENT session state in a Palo Alto Networks firewall indicates that the firewall has sent a SYN packet to initiate a TCP three-way handshake and is awaiting a SYN-ACK response from the remote host. This state is part of the firewall's session setup process, where it tracks the TCP connection state machine to ensure proper traffic flow. It does not imply a teardown, asymmetric routing drop, or incomplete application identification.

Exam trap

The trap here is that candidates confuse SYN_SENT with a session teardown state or assume it indicates a problem like asymmetric routing, when in fact it is a normal transient state during TCP connection setup that only becomes problematic if it persists beyond the timeout.

How to eliminate wrong answers

Option A is wrong because a session torn down by the server would show states like FIN_WAIT, CLOSE_WAIT, or TIME_WAIT, not SYN_SENT, which is an initial handshake state. Option C is wrong because asymmetric routing typically causes sessions to be in a 'half-open' state or show as 'drop' due to security policy mismatch, not SYN_SENT; SYN_SENT is a normal transient state during connection establishment. Option D is wrong because application identification occurs after the TCP handshake completes and data is exchanged; SYN_SENT is too early in the flow for app-ID to be determined, and an 'incomplete' application would be flagged later, not at this stage.

306
MCQmedium

A company has configured User-ID with Active Directory polling. Some users cannot access resources even though their security policy rules appear correct. The administrator verifies that the User-ID agent is connected and polling. What additional step should the administrator take?

A.Restart the User-ID agent service.
B.Check the firewall's management plane CPU usage.
C.Ensure the firewall has a license for User-ID.
D.Verify that the user group mapping is correct.
AnswerD

Group mapping is critical for security policies based on user groups.

Why this answer

Option D is correct because even if the User-ID agent is connected and polling, the firewall may not have the correct group-to-user mappings. Without accurate group mapping, security policies that reference user groups will fail to match, causing access issues for users who are members of those groups. The administrator should verify the group mapping configuration in the User-ID agent or on the firewall to ensure users are properly associated with their groups.

Exam trap

The trap here is that candidates assume a connected and polling User-ID agent guarantees correct policy enforcement, overlooking the critical step of verifying group mapping accuracy, which is a common misconfiguration in Active Directory environments.

How to eliminate wrong answers

Option A is wrong because restarting the User-ID agent service is a generic troubleshooting step that does not address the root cause of incorrect group mapping; the agent is already connected and polling, so a restart would not fix mapping errors. Option B is wrong because checking the firewall's management plane CPU usage is relevant for performance issues, not for user authentication or group mapping problems; high CPU would not prevent users from accessing resources if policies are correct. Option C is wrong because User-ID functionality does not require a separate license; it is included with the firewall's base subscription (e.g., Threat Prevention or URL Filtering), so a missing license is not the issue here.

307
Multi-Selecthard

An engineer is troubleshooting an HA pair where session synchronization is not working. Which THREE steps should be taken to diagnose the issue? (Choose three.)

Select 3 answers
A.Verify that the HA2 link is operationally up
B.Check the session synchronization status using 'show running session-sync'
C.Check the HA1 link status using 'show high-availability state'
D.Review the system logs for session sync errors
E.Enable flow-based routing on both firewalls
AnswersA, B, D

HA2 is used for session synchronization.

Why this answer

Options A, B, and E are correct. Checking HA2 link status, verifying session sync status, and reviewing logs help identify sync issues. Option C is wrong because HA1 is for control, not session sync.

Option D is wrong because flow-based routing is not a standard feature for session sync.

308
MCQmedium

Refer to the exhibit. A user attempts to access a banking site (category: finance) over HTTPS. What will happen?

A.The traffic is decrypted because the first rule matches.
B.The traffic is dropped because no rule matches.
C.The traffic is decrypted only if the SSL certificate is installed.
D.The traffic is not decrypted because the second rule matches and overrides the first.
AnswerD

The no-decrypt rule for category finance matches, so decryption is bypassed.

Why this answer

The correct answer is D because the firewall processes security rules from top to bottom, and the second rule explicitly matches HTTPS traffic to the finance category with an action of 'No Decrypt'. Since the second rule matches before any decryption rule, it overrides the first rule's decrypt action, and the traffic is not decrypted.

Exam trap

The trap here is that candidates assume the first matching rule in a decryption policy is always applied, but Palo Alto Networks decryption policies allow a later 'No Decrypt' rule to override an earlier 'Decrypt' rule for the same traffic.

How to eliminate wrong answers

Option A is wrong because the first rule does match the traffic, but the second rule (No Decrypt) is evaluated after the first and overrides it due to rule order precedence; decryption does not occur. Option B is wrong because a rule does match (the second rule), so the traffic is not dropped; it is allowed without decryption. Option C is wrong because SSL certificate installation is irrelevant here; the No Decrypt rule explicitly prevents decryption regardless of certificate presence.

309
MCQeasy

An administrator configures an authentication policy to require authentication for the 'ssl' application. After committing, the firewall does not prompt users for credentials when they access HTTPS sites. Which step is most likely missing?

A.The authentication policy is placed in the pre-rulebase but the security policy is in post-rulebase.
B.The 'ssl' application must have a custom signature defined.
C.The authentication policy must be placed before the security rule that allows the web-browsing traffic.
D.The user-ID agent is not set to capture HTTPS traffic.
AnswerC

Authentication policies are evaluated in order relative to security rules. If the security rule allowing the traffic appears before the authentication rule, users are not prompted.

Why this answer

Authentication policies are evaluated before security policies. If the authentication policy is placed after the security rule that allows the traffic, users bypass authentication. Option B correctly identifies that the authentication policy must be placed before the security rule.

310
MCQhard

An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?

A.Session offload is causing the packet to bypass security checks
B.The firewall is unable to resolve the destination MAC address
C.Asymmetric routing causes the firewall to drop the SYN packet
D.The destination NAT is misconfigured
AnswerC

The firewall might receive the SYN but if the return path is different, it can drop the packet or not forward it properly.

Why this answer

The most likely cause is asymmetric routing, where the SYN packet traverses one firewall path but the SYN-ACK returns via a different path that does not go through the same firewall. Since Palo Alto Networks firewalls are stateful and require both directions of a TCP handshake to pass through the same device to build the session table entry, the SYN-ACK arriving on a different interface or firewall is treated as a non-session packet and dropped, even though the security policy permits the initial SYN. This explains why the firewall sees the session hit the rule but the server never receives the request.

Exam trap

The trap here is that candidates often assume a security policy hit means the packet is fully allowed, but they forget that stateful inspection requires symmetric traffic flow for the TCP handshake to complete, and the firewall will drop the SYN-ACK if it arrives on a different interface or firewall.

How to eliminate wrong answers

Option A is wrong because session offload (hardware acceleration) does not bypass security checks; it offloads established session processing to hardware while still enforcing policy, and the issue occurs before the session is established. Option B is wrong because if the firewall could not resolve the destination MAC address, it would generate an ARP failure and the session would not be created at all, yet the firewall sees the session hit the rule. Option D is wrong because a misconfigured destination NAT would cause the firewall to translate the destination IP incorrectly or not at all, resulting in the server receiving the request at a wrong IP or the firewall dropping the packet due to NAT rule mismatch, but the scenario states the server does not receive the request at all, which aligns with asymmetric routing dropping the SYN-ACK before it reaches the server.

311
MCQhard

A firewall is using App-ID to identify applications running on non-standard ports. The administrator has configured a custom application with a default port of 8080, but traffic on port 8080 is still not being identified correctly. The application uses multiple connections on different ports. What is the most likely cause?

A.The application's timeout value is too short.
B.The application is defined with the wrong protocol (TCP vs UDP).
C.Content-ID is disabled on the security policy.
D.The application requires URL categorization to be enabled.
AnswerB

If the custom application uses TCP but is defined as UDP, App-ID will not match.

Why this answer

Custom applications require both a default port and a protocol type (TCP/UDP). If the protocol is not specified correctly, App-ID may fail. Option A (timeout setting) affects session termination but not identification.

Option B (require URL categorisation) is for HTTP applications. Option D (disabling content-ID) might affect visibility but not basic identification. The issue is likely the protocol definition.

312
MCQmedium

A company uses User-ID to map users to IPs. Some users report that their traffic is being blocked even though they are in the correct user group for access. The security policy uses user-based conditions. What is a likely cause?

A.The security policy order is incorrect
B.The firewall is not configured to use the User-ID agent
C.The User-ID agent is not running
D.The user's IP is not in the User-ID mapping table
AnswerD

Without a mapping, the policy cannot match the user, so traffic may be blocked by a default deny rule.

Why this answer

When a security policy uses user-based conditions, the firewall must have a valid User-ID mapping for the user's IP address to enforce the rule. If the user's IP is not in the User-ID mapping table, the firewall cannot associate the traffic with a user group, and it will either match a default deny rule or fail to match the intended allow rule, resulting in blocked traffic. This is the most direct cause given that the user group assignment is correct but the mapping is missing.

Exam trap

The trap here is that candidates often assume the issue is with the User-ID agent's configuration or status, but the question specifies that some users are affected, pointing to a per-user mapping gap rather than a global agent failure.

How to eliminate wrong answers

Option A is wrong because security policy order affects which rule matches first, but if the correct user-based rule exists and the user's IP is unmapped, the rule will not match regardless of order. Option B is wrong because if the firewall were not configured to use the User-ID agent, no user mappings would exist at all, but the issue is specific to some users, implying the agent is configured. Option C is wrong because if the User-ID agent were not running, no mappings would be populated for any user, but the problem is isolated to certain users, indicating the agent is operational.

313
MCQhard

A company integrates GlobalProtect with SAML for SSO. Users report that after authentication, they receive a 'Portal cannot be reached' error. The firewall logs show the SAML authentication succeeded. What should the administrator check?

A.The user's browser is blocking pop-ups from the portal.
B.The GlobalProtect portal agent is not set to use the correct SAML profile.
C.The SAML identity provider's certificate is not imported on the firewall.
D.The SSL/TLS service profile on the portal is not bound to the correct certificate.
AnswerD

Correct. A mismatched certificate causes the browser to block the portal after SAML.

Why this answer

After SAML authentication, the portal must present its web page over SSL. If the SSL/TLS service profile is not bound to the correct certificate, the browser may reject the connection.

314
MCQhard

During a security audit, an administrator finds that traffic on TCP port 443 is classified as web-browsing, but the firewall is configured to use SSL decryption. However, the traffic is not decrypted because it uses a self-signed certificate from an internal CA that is not trusted by the firewall. How should the administrator fix this to enable proper App-ID?

A.Configure SSH decryption for the traffic.
B.Disable SSL decryption for that traffic and rely on port-based identification.
C.Import the internal CA certificate and enable SSL forward proxy.
D.Create a custom App-ID override for the application.
AnswerC

This allows the firewall to trust the self-signed certificate and decrypt the traffic.

Why this answer

Option A is correct: importing the internal CA certificate and enabling SSL forward proxy with that CA allows the firewall to decrypt traffic using self-signed certificates, enabling App-ID to see the true application. Option B is wrong because disabling SSL decryption for that traffic would prevent identification. Option C is wrong because using SSH decryption is for SSH, not HTTPS.

Option D is wrong because a custom App-ID override does not address the decryption issue.

315
MCQhard

A company wants to deploy GlobalProtect to 10,000 remote users. Which method provides the most scalable and automated distribution of the client software?

A.Web-based download from the portal.
B.Manual installation via USB.
C.Email attachment.
D.Group Policy deployment via Active Directory.
AnswerA

Correct. Users download the client from the portal, which is automated and scalable.

Why this answer

Web-based download from the portal is the simplest and most automated method for large-scale deployments, as users can download the client on demand.

316
Multi-Selecteasy

Which TWO of the following are prerequisites for configuring User-ID on an interface?

Select 2 answers
A.The firewall must be in FIPS mode.
B.The interface must be in a zone.
C.A User-ID agent must be installed.
D.User-ID must be enabled on the zone.
E.An authentication profile must be configured.
AnswersC, D

A User-ID agent (or other method) is required to provide user-to-IP mapping data.

Why this answer

Option C is correct because a User-ID agent (or the built-in User-ID service on the firewall) is required to map IP addresses to usernames. Without an agent—such as the PAN-OS User-ID Agent, Terminal Services Agent, or GlobalProtect—the firewall cannot collect user mapping data from directory services (e.g., Active Directory) or authentication logs. Option D is correct because User-ID must be explicitly enabled on the zone; if the zone does not have User-ID enabled, the firewall will not perform user mapping for traffic traversing that zone, even if the interface is configured correctly.

Exam trap

The trap here is that candidates often assume an interface must be in a zone (Option B) is a direct prerequisite for User-ID, but the actual requirement is that User-ID must be enabled on the zone, not just that the interface belongs to one.

317
MCQeasy

A network engineer notices that traffic from a specific subnet is being dropped by the firewall. The traffic log shows 'drop' with reason 'policy deny'. The engineer checks the security policy and confirms there is an allow rule for that subnet. What should be checked next?

A.Check the application override.
B.Check the QoS policy.
C.Check the rule order and ensure the allow rule is above any deny rules.
D.Check the NAT policy for the traffic.
AnswerC

A rule order issue is the most common cause when a policy deny occurs despite an allow rule existing.

Why this answer

The correct answer is A because if the allow rule is not above a deny rule, the deny rule will match first.

318
MCQmedium

A firewall in an HA pair is being upgraded. The administrator wants to minimize traffic loss. What is the recommended procedure for upgrading the passive firewall in an active/passive pair?

A.Upgrade the active firewall first, then failover to the passive
B.Upgrade the passive firewall, failover to it, then upgrade the original active
C.Suspend HA, upgrade both, then re-enable HA
D.Upgrade both firewalls simultaneously after disconnecting HA links
AnswerB

This ensures minimal traffic loss.

Why this answer

Option A is correct because you should upgrade the passive firewall first, then perform a manual failover, then upgrade the new passive firewall. Option B is wrong because upgrading both at once causes downtime. Option C is wrong because you should upgrade passive first, not active.

Option D is wrong because suspending HA is unnecessary.

319
MCQmedium

A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?

A.The application is using asymmetric routing
B.The security policy is not logging the traffic correctly
C.The firewall is not inspecting UDP traffic correctly
D.The firewall is dropping the return traffic due to a missing policy
AnswerD

The application may require responses; if the return traffic is not allowed by policy, the application breaks.

Why this answer

Option D is correct because even though the outbound UDP traffic is allowed by the security policy, the firewall must also have a corresponding policy to allow the return traffic from the application server back to the internal clients. Without a return policy, the firewall drops the response packets, breaking the UDP communication. The logs show the outbound traffic as allowed, but the return traffic is silently dropped, which is why users report the application not working.

Exam trap

The trap here is that candidates assume that because the outbound traffic is allowed and logged, the application should work, but they overlook the requirement for a return policy in stateful firewall operation, especially for UDP which is connectionless and does not have a built-in handshake like TCP.

How to eliminate wrong answers

Option A is wrong because asymmetric routing would cause the firewall to see traffic in one direction only, but the logs show the traffic is allowed, and the issue is specifically about missing return policy, not routing asymmetry. Option B is wrong because the logs correctly show the traffic as allowed, so the logging is functioning properly; the problem is that the return traffic is not logged because it is dropped by a missing policy. Option C is wrong because Palo Alto Networks firewalls inspect UDP traffic correctly by default, and the issue is not about inspection but about the absence of a security policy for the return path.

320
MCQhard

A company runs a mixed environment of physical and virtual Palo Alto Networks firewalls (PA-5250, VM-300) managed by a single Panorama. The company recently deployed a new application that uses the QUIC protocol (UDP 443) for performance. After the deployment, the security team notices that the firewall is not accurately identifying the QUIC traffic, and some QUIC sessions are being dropped unexpectedly. The firewall logs show 'application: incomplete' for these sessions. The security team wants to ensure QUIC traffic is properly identified and allowed. The team has configured a security policy rule to allow 'ssl' application (thinking QUIC is similar to SSL) but the problem persists. The firewall is running PAN-OS 10.1. Which of the following is the best course of action?

A.Add a security policy rule to allow the 'quic' application.
B.Upgrade Panorama to the latest version to add QUIC support.
C.Enable SSL decryption on the policy to inspect QUIC traffic.
D.Disable App-ID for the QUIC traffic and use a port-based rule.
AnswerA

Allowing the quic application directly ensures proper identification and handling.

Why this answer

The correct action is to add a security policy rule allowing the 'quic' application because QUIC is a distinct protocol (UDP 443) with its own App-ID in PAN-OS 10.1. The firewall logs showing 'application: incomplete' indicate that App-ID is failing to identify the traffic, often due to a missing rule for the specific application. Allowing 'ssl' does not work because SSL/TLS operates over TCP, while QUIC uses UDP, and the firewall's App-ID engine treats them separately.

Exam trap

The trap here is that candidates assume QUIC is a variant of SSL/TLS and can be allowed by the 'ssl' application, but they overlook that QUIC runs over UDP and has its own distinct App-ID, requiring a separate security rule.

How to eliminate wrong answers

Option B is wrong because upgrading Panorama does not add QUIC support to the firewalls; QUIC App-ID is already available in PAN-OS 10.1, and Panorama is a management tool, not the enforcement point. Option C is wrong because enabling SSL decryption on QUIC traffic is not possible; QUIC is encrypted by design and uses UDP, so the firewall cannot perform man-in-the-middle decryption on it without breaking the protocol. Option D is wrong because disabling App-ID for QUIC traffic and using a port-based rule would bypass application identification entirely, defeating the purpose of accurate traffic classification and potentially allowing unwanted or malicious UDP 443 traffic.

321
MCQmedium

A security administrator reports that they can ping and access internal resources, but cannot access any external websites. The firewall is configured with a default route pointing to the internet router, and the NAT policy includes a source NAT rule for the internal subnet. Which step should the administrator take first to troubleshoot this issue?

A.Check the NAT rule for correct interface assignment.
B.Check the DNS proxy configuration on the firewall.
C.Review the security policy to ensure traffic from the internal zone to the external zone is allowed.
D.Verify that the default route is active by checking the routing table.
AnswerC

If internal access works but external website access fails, the most likely cause is a security policy blocking web traffic. Checking the security policy is the logical first step.

Why this answer

Option C is correct because if internal access works but external website access fails, the most likely cause is a security policy blocking web traffic. The default route and NAT appear configured, so checking the security policy is the logical first step. Option A is wrong because DNS proxy would affect name resolution, but the issue could persist even with DNS if the web traffic is blocked by policy.

Option B is wrong because internal access working indicates routing is likely correct. Option D is wrong because the NAT rule is already configured and internal access works, so NAT is likely functioning.

322
Multi-Selecthard

Which THREE components should be verified when troubleshooting a site-to-site IPSec VPN that is not coming up?

Select 3 answers
A.Zone protection profile on the untrust zone
B.Interface management profile on the external interface
C.Pre-shared key configuration on both ends
D.Peer IP address in the tunnel interface configuration
E.IKE version (v1 vs v2) compatibility
AnswersC, D, E

Mismatched PSK will prevent IKE authentication.

Why this answer

The pre-shared key (PSK) must match exactly on both VPN peers. If the PSK differs, IKE Phase 1 authentication fails, preventing the tunnel from establishing. This is a fundamental requirement for both IKEv1 and IKEv2, as the PSK is used to generate authentication keys during the main or aggressive mode exchange.

Exam trap

The trap here is that candidates often confuse zone protection profiles or interface management profiles with VPN-related security settings, but these profiles only affect data-plane or management-plane traffic, not the control-plane IKE negotiation required for tunnel establishment.

323
Drag & Dropmedium

Order the steps to configure an IPsec VPN tunnel between two Palo Alto firewalls.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPN setup requires IKE gateway, crypto profile, tunnel interface, and policies.

324
Multi-Selectmedium

Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

Select 2 answers
A.Two physical or subinterfaces assigned to the vwire.
B.A management profile must be applied to the vwire.
C.A zone must be assigned to the vwire.
D.The interfaces must be of type 'aggregate'.
E.No IP addresses configured on the interfaces used in the vwire.
AnswersA, E

A vwire requires exactly two interfaces.

Why this answer

Option A is correct because a virtual wire (vwire) requires exactly two interfaces to function as a transparent bridge between two network segments. These interfaces can be physical or subinterfaces, and they must be assigned to the vwire to pass traffic without Layer 3 processing. Without two interfaces, the vwire cannot forward frames between the connected devices.

Exam trap

The trap here is that candidates often assume a vwire needs a zone or management profile because they confuse it with a Layer 3 interface, but Palo Alto vwires are purely Layer 2 constructs that require only two interfaces and no IP addresses.

325
MCQhard

Refer to the exhibit. Based on the log, what triggered the failover?

A.Loss of HA1 heartbeat from the peer
B.A link failure on ethernet1/1
C.An administrator manually triggered a failover
D.A path monitoring group determined that the upstream ISP is unreachable
AnswerD

The log explicitly states path monitoring group failure.

Why this answer

Option C is correct because the log indicates path monitoring group 'ISP1' failed, causing state change. Option A is wrong because no interface down log. Option B is wrong because no HA1 heartbeat failure.

Option D is wrong because it's not a manual admin action.

326
MCQeasy

Which component of the PAN-OS architecture is responsible for processing security policies and performing packet inspection?

A.Panorama plane
B.Management plane
C.Data plane
D.Control plane
AnswerC

Data plane processes all packets and enforces security policies.

Why this answer

The data plane is the correct answer because it is the hardware-accelerated component in PAN-OS that handles all packet forwarding, security policy enforcement, and deep packet inspection (including App-ID, Content-ID, and SSL decryption). It operates on a separate processor from the management and control planes to ensure that security processing does not impact management access or routing stability.

Exam trap

The trap here is that candidates confuse the control plane's role in session setup with packet inspection, but the control plane only handles control traffic (e.g., ARP, routing updates) and session table management, not the actual security policy enforcement or deep packet inspection that occurs in the data plane.

How to eliminate wrong answers

Option A is wrong because Panorama is a centralized management platform for multiple firewalls, not a plane within a single PAN-OS firewall; it does not perform packet inspection or enforce security policies directly. Option B is wrong because the management plane handles administrative tasks (CLI, GUI, logging, configuration commits) and does not process live traffic or perform packet inspection. Option D is wrong because the control plane manages routing protocols (e.g., OSPF, BGP), session setup, and high-availability state synchronization, but it does not inspect packet payloads or enforce security rules.

327
MCQmedium

A network engineer wants to reduce the number of applications in security policies by combining several applications that are always used together. What is the best practice?

A.Use a wildcard application for the protocol.
B.Create a custom application that covers all the applications.
C.Configure an application group and add all related applications.
D.Remove the individual applications and just use port-based rules.
AnswerC

Application groups allow grouping for easier policy management.

Why this answer

Option C is correct because using application groups simplifies policy management and ensures consistent policy for related applications. Option A is wrong because wildcard applications are too broad. Option B is wrong because creating a custom container application is not a standard feature.

Option D is wrong because removing applications reduces visibility.

328
Multi-Selecteasy

Which TWO methods can be used to monitor traffic passing through a Palo Alto Networks firewall?

Select 2 answers
A.Use the show session all command.
B.Enable config drift monitoring.
C.Review traffic logs under Monitor > Traffic.
D.Configure a packet capture on the dataplane.
E.Application Command Center (ACC)
AnswersC, E

Traffic logs provide detailed information on each session.

Why this answer

Option C is correct because the Monitor > Traffic log is the primary GUI-based method for reviewing detailed session logs, including source/destination IPs, ports, applications, and actions (allow/deny). Option E is correct because the Application Command Center (ACC) provides a high-level, visual dashboard for monitoring traffic patterns, top applications, and threats in near real-time, aggregating data from traffic and threat logs.

Exam trap

The trap here is that candidates often confuse the 'show session all' CLI command (which shows active sessions) with a method for monitoring traffic logs, when in fact it only displays ephemeral session state and does not provide historical or logged traffic data.

329
MCQmedium

Refer to the exhibit. The session is in FIN_WAIT state. What does this indicate about the TCP connection?

A.The connection is actively transferring data
B.The firewall has closed the connection and is waiting for the client or server to finish
C.The connection has timed out and is being removed
D.The firewall is waiting for a SYN-ACK from the destination
AnswerB

FIN_WAIT means the firewall initiated the close and is waiting for final packets.

Why this answer

FIN_WAIT state indicates that the firewall has sent a FIN and is waiting for the other side to acknowledge or send its own FIN. This is part of normal TCP teardown.

330
MCQmedium

A company wants to provide VPN access to external business partners who do not have the GlobalProtect client installed. Which VPN method should be used?

A.SSL VPN (clientless)
B.GlobalProtect with pre-logon
C.IPSec VPN
D.L2TP over IPSec
AnswerA

Clientless SSL VPN allows users to access web applications via a browser without installing software.

Why this answer

Clientless SSL VPN provides web-based access without installing any client software, ideal for partners.

331
Multi-Selectmedium

Which THREE steps should be taken to verify that an HA pair is ready for a scheduled failover?

Select 3 answers
A.Stop all logging to reduce CPU load
B.Perform a 'show high-availability sync-status' to confirm config synchronization
C.Verify HA2 link status is up
D.Confirm that session synchronization is enabled
E.Disable preemption on the active firewall
AnswersB, C, D

Config sync must be complete for consistency.

Why this answer

Options A, C, and E are correct. A: Ensure session synchronization is enabled to preserve sessions. C: Verify HA2 link is up for session sync.

E: Check that both firewalls have the same configuration. B is wrong because disabling preemption is not a readiness check, it's a configuration choice. D is wrong because stopping logging is not necessary and may hide issues.

332
Multi-Selecteasy

Which THREE of the following are core components of the GlobalProtect solution? (Choose exactly three.)

Select 3 answers
A.GlobalProtect License Server
B.GlobalProtect Gateway
C.GlobalProtect Client
D.GlobalProtect Mobile App
E.GlobalProtect Portal
AnswersB, C, E

Gateways terminate client connections and enforce policies.

Why this answer

The GlobalProtect solution is built on three core components: the GlobalProtect Portal, GlobalProtect Gateway, and GlobalProtect Client. The Portal manages configuration and authentication, the Gateway provides secure access to internal resources, and the Client is the endpoint software that establishes VPN tunnels. These three work together to enforce security policies and enable remote access.

Exam trap

The trap here is that candidates often mistake the GlobalProtect Mobile App as a core component, but it is simply a variant of the GlobalProtect Client and not one of the three fundamental architectural elements.

333
MCQmedium

Refer to the exhibit. The administrator committed this configuration but users cannot authenticate via SAML. What is the problem?

A.The authentication profile has two methods configured, causing a conflict.
B.The firewall is not configured as a service provider.
C.The SAML identity provider certificate is missing.
D.The SAML logout URL is incorrect.
AnswerA

Only one method (or sequence) can be set; the second 'method ldap' overwrites 'method saml'.

Why this answer

The authentication profile has two 'method' commands; the second one overwrites the first, so the profile ends up using LDAP instead of SAML. Option B is correct.

334
MCQmedium

A company is deploying SSL Forward Proxy decryption for outbound HTTPS traffic. They want to ensure that traffic to financial sites (e.g., *.bank.com) is not decrypted due to compliance requirements. Which method should be used to exclude this traffic from decryption?

A.Configure the SSL/TLS Service Profile to bypass decryption for the domain.
B.Configure a Decryption Profile to exclude the domain.
C.Create a Decryption Policy rule matching the traffic and set the action to 'No Decrypt'.
D.Enable certificate revocation checking for the decryption zone.
AnswerC

Decryption Policy rules with 'No Decrypt' action are the correct way to exclude traffic from decryption based on zone, URL category, etc.

Why this answer

Option C is correct because in Palo Alto Networks firewalls, SSL Forward Proxy decryption is controlled by Decryption Policy rules. To exclude specific traffic from decryption, you create a Decryption Policy rule that matches the traffic (e.g., destination domain *.bank.com) and set the action to 'No Decrypt'. This ensures the firewall forwards the traffic without intercepting or decrypting it, meeting compliance requirements.

Exam trap

The trap here is confusing the purpose of Decryption Profiles (which control decryption behavior) with Decryption Policy rules (which control which traffic is decrypted), leading candidates to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because the SSL/TLS Service Profile is used to define the certificate and protocol settings for decryption, not to bypass decryption for specific domains. Option B is wrong because a Decryption Profile controls advanced decryption settings like certificate revocation checking and protocol versions, not the decision to decrypt or not. Option D is wrong because enabling certificate revocation checking for the decryption zone affects validation of certificates during decryption, not the exclusion of traffic from decryption.

335
MCQhard

An organization is experiencing intermittent connectivity issues with their GlobalProtect remote access VPN. Users report that they can connect but after a random period (20-40 minutes) the tunnel drops and reconnects. The firewall has sufficient licensing. Which setting should be reviewed first?

A.GlobalProtect gateway 'Idle Timeout' setting.
B.The 'Disconnect on Network Change' option on the client.
C.The authentication timeout on the firewall.
D.'Tunnel Rekey' interval in the IPSec configuration.
AnswerA

A low idle timeout can disconnect sessions prematurely, and the client may reconnect automatically.

Why this answer

The 'Idle Timeout' setting on the GlobalProtect gateway controls how long an inactive session is allowed to remain connected. If this value is set too low (e.g., 20-30 minutes), the gateway will terminate the tunnel after that period of inactivity, causing the client to disconnect and immediately reconnect, which matches the described symptom of intermittent drops every 20-40 minutes. This is the most likely cause because the issue is periodic and consistent with a timeout-based disconnection, not a network change or authentication failure.

Exam trap

Palo Alto Networks often tests the distinction between 'Idle Timeout' and 'Session Timeout' on GlobalProtect gateways, and the trap here is that candidates confuse the 'Tunnel Rekey' interval (which is a seamless process) with a timeout that causes disconnection, or they incorrectly attribute the issue to client-side network change detection rather than a server-side idle timeout.

How to eliminate wrong answers

Option B is wrong because 'Disconnect on Network Change' is a client-side setting that drops the tunnel when the underlying network interface changes (e.g., switching from Wi-Fi to Ethernet), which would cause a single disconnection event, not a recurring 20-40 minute cycle. Option C is wrong because the authentication timeout on the firewall typically controls how long a user can remain authenticated before re-authentication is required, but this would affect the entire authentication session, not just the VPN tunnel, and would not cause a tunnel drop and immediate reconnect without re-authentication. Option D is wrong because 'Tunnel Rekey' interval in IPSec configuration controls how often the IPSec security associations are renegotiated; a rekey is a seamless process that does not drop the tunnel, and if misconfigured, it would cause a failure to rekey, not a periodic disconnect/reconnect pattern.

336
MCQhard

A Panorama-managed firewall is not sending logs to Panorama. The firewall is operational and policies are being pushed successfully. Which of the following is the most likely cause?

A.The security policy rules do not have a Log Forwarding profile applied.
B.The Panorama collector group is not configured correctly.
C.The firewall's management interface is not reachable from Panorama.
D.The log buffer on the firewall is full.
AnswerA

Without a Log Forwarding profile, logs are not sent to Panorama; they remain local.

Why this answer

Option C is correct because for log forwarding to Panorama, a Log Forwarding profile must be applied to the security rules; otherwise logs are stored locally. Option A is wrong because collector groups are for Panorama aggregation, not for initial log forwarding. Option B is wrong because log buffering would cause delays, not complete failure.

Option D is wrong because management interface connectivity is required for push, but log forwarding may use a different interface or port.

337
MCQhard

A large enterprise uses a PA-5250 as a perimeter firewall with multiple virtual systems (vsys). One vsys is for the DMZ, and it is logging high amounts of dropped traffic. The administrator notices that the firewall's dataplane CPU is consistently above 80%. The logs show many 'application-id timeout' drops. The DMZ hosts are running custom applications on non-standard ports. What is the first step to mitigate the issue?

A.Disable application identification for the DMZ zone.
B.Reduce the number of security rules in the DMZ.
C.Use a custom application signature for the custom applications.
D.Increase the application identification timeout for the custom applications.
AnswerC

Custom app signatures allow the firewall to identify traffic without deep packet inspection, reducing CPU.

Why this answer

Option C is correct because creating custom application signatures reduces the need for heuristic analysis of unknown traffic, lowering CPU load.

338
MCQeasy

An administrator notices that the HA pair shows a state mismatch: one firewall reports active, the other reports passive, but traffic is not flowing through the active firewall. What is the most likely cause?

A.Session synchronization is incomplete
B.The HA2 link is down
C.The passive firewall has a higher priority
D.The HA1 link is down and preemptive mode is enabled
AnswerD

With HA1 down and preemptive, both may attempt to become active, leading to mismatch.

Why this answer

Option B is correct because a HA1 link failure can cause both firewalls to think they are active (split-brain), but the state mismatch indicates one sees active, one sees passive; this is often due to a preemptive configuration or hold timer issue. Option A is wrong because HA2 link failure does not cause state mismatch; it only affects session sync.

339
MCQmedium

During a troubleshooting session, a user reports that they cannot access an internal web server through the firewall's public IP. The firewall is configured with destination NAT. The engineer checks the NAT policy and sees the rule is active. What should be the next step to verify the NAT is functioning correctly?

A.Check the session table to see if the NAT translation is occurring.
B.Check the application dependency.
C.Check the security policy for the post-NAT zone.
D.Check the routing table for the destination.
AnswerA

The session table shows the original and translated IPs, confirming NAT is working.

Why this answer

The correct answer is C because checking the session table shows whether the destination IP is being translated as expected.

340
MCQmedium

A security administrator is troubleshooting a traffic drop between two internal zones. The firewall shows that the session is being terminated with a 'tcp-fin' reason. The administrator verifies that the application is set to 'web-browsing' and the service is 'application-default'. What is the most likely cause of the session termination?

A.The security policy has a deny action for the traffic.
B.The application override is incorrectly configured for the traffic.
C.The traffic is being asymmetrically routed.
D.The zone protection profile is dropping the session.
AnswerB

Application override can cause the firewall to terminate the session if the traffic does not match the expected application.

Why this answer

When an application override is incorrectly configured, the firewall terminates the session with a 'tcp-fin' reason because it cannot match the expected application signature. The 'web-browsing' application expects HTTP traffic, but the actual payload may be non-HTTP (e.g., SSH or custom protocol), causing the firewall to send a TCP FIN to close the session gracefully. This is distinct from a reset (RST) or drop, as the firewall completes the TCP handshake but then terminates due to application mismatch.

Exam trap

Palo Alto Networks often tests the distinction between 'tcp-fin' (graceful close by firewall) and 'tcp-rst' (abrupt termination) to confuse candidates into thinking a deny policy or zone protection is responsible, when the real cause is an application mismatch due to incorrect override configuration.

How to eliminate wrong answers

Option A is wrong because a deny action would result in a 'tcp-reset' or 'deny' session end reason, not 'tcp-fin', and the session would not be established. Option C is wrong because asymmetric routing typically causes session timeouts or 'tcp-rst-from-server' due to out-of-state packets, not a clean 'tcp-fin' termination. Option D is wrong because zone protection profiles drop sessions with reasons like 'zone-protection' or 'packet-buffer-exceeded', not 'tcp-fin', and they operate at a lower layer (e.g., flood protection) rather than application-level termination.

341
MCQhard

An organization uses GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show that the traffic from the GlobalProtect IP pool to internal servers is allowed. What is the most likely cause?

A.The GlobalProtect gateway is not configured with a route to internal network.
B.The internal server's default gateway does not point to the firewall.
C.The client's VPN adapter is not set to use the default gateway on the remote network.
D.The security policy for internal traffic is misconfigured.
AnswerB

Internal servers must route return traffic back through the firewall for stateful inspection.

Why this answer

The most likely cause is that the internal server's default gateway does not point to the firewall. When GlobalProtect clients receive an IP from the VPN IP pool and send traffic to internal servers, the servers must send return traffic back through the firewall to maintain stateful session symmetry. If the server's default gateway points elsewhere (e.g., a core switch), the firewall drops the return traffic because it does not match an existing session, causing connectivity failure despite the firewall logs showing allowed outbound traffic.

Exam trap

The trap here is that candidates see the firewall logs showing allowed traffic and assume the security policy is correct, overlooking the critical requirement for symmetric routing in stateful firewalls.

How to eliminate wrong answers

Option A is wrong because the GlobalProtect gateway does not need a route to the internal network; the firewall already has that route, and the gateway uses the firewall's routing table. Option C is wrong because the client's VPN adapter setting to use the default gateway on the remote network is enabled by default in GlobalProtect and is not the cause of asymmetric routing; disabling it would actually break split-tunneling, not fix the issue. Option D is wrong because the firewall logs explicitly show that traffic from the GlobalProtect IP pool to internal servers is allowed, indicating the security policy is correctly configured.

342
MCQeasy

An administrator needs to allow FTP traffic from the internal network to an external server. The firewall is configured with a security policy that has the application 'ftp' and service 'service-http'. What is the most likely cause of the traffic being denied?

A.The source address is wrong.
B.The application is incorrectly set to ftp.
C.The rule is not enabled.
D.The service object in the rule is set to service-http, which does not match FTP traffic.
AnswerD

FTP uses TCP ports 20 and 21, not HTTP port 80. The service must match the traffic.

Why this answer

The correct answer is D because the security policy's service object is set to 'service-http' (TCP port 80), but FTP traffic uses TCP port 21 for control and TCP port 20 for data. In Palo Alto Networks firewalls, the service object defines the destination port for the traffic; if it does not match the actual port used by the application, the firewall will deny the session even if the application is correctly identified. The mismatch between the service and the application's expected port causes the traffic to be blocked.

Exam trap

The trap here is that candidates may think the application field alone is sufficient to allow traffic, but the service object must also match the destination port; Palo Alto Networks often tests this by pairing a correct application with an incorrect service to see if you understand the dual-layer check.

How to eliminate wrong answers

Option A is wrong because the source address being incorrect would cause traffic to not match the policy at all, but the question states the policy is configured with the application 'ftp' and service 'service-http', implying the source address is not the primary issue. Option B is wrong because the application 'ftp' is correctly set to allow FTP traffic; the problem is not the application but the service mismatch. Option C is wrong because the rule not being enabled would prevent any traffic matching, but the question asks for the most likely cause given the specific configuration details; the service mismatch is a more precise and common issue than a disabled rule.

343
MCQhard

A firewall is experiencing slow performance. The administrator runs 'show counter global' and sees that the 'flow_aged_error_tcp_mss' counter is incrementing rapidly. What does this indicate?

A.The firewall is experiencing a SYN flood attack.
B.TCP sessions are being terminated due to MSS clamping issues.
C.There is a routing loop causing packet retransmission.
D.The firewall's hardware acceleration is failing.
AnswerB

This counter increments when the firewall actively closes sessions due to MSS mismatch.

Why this answer

The 'flow_aged_error_tcp_mss' counter increments when the firewall ages out TCP sessions due to TCP MSS (Maximum Segment Size) clamping issues. This occurs when the firewall modifies the MSS value in SYN packets to avoid fragmentation, but the actual path MTU is smaller than the clamped MSS, causing the session to be terminated prematurely. The rapid increment indicates that MSS clamping is misconfigured or the path MTU is inconsistent, leading to session failures.

Exam trap

The trap here is that candidates confuse 'flow_aged_error_tcp_mss' with general TCP session drops or attacks, but the counter specifically points to MSS clamping misconfiguration, not a flood or routing issue.

How to eliminate wrong answers

Option A is wrong because a SYN flood attack would be indicated by counters like 'flow_aged_error_tcp_syn_flood' or 'flow_tcp_syn_flood_drop', not by MSS-related aging errors. Option C is wrong because a routing loop causes packet retransmission and would be tracked by counters such as 'flow_aged_error_tcp_retransmit' or 'flow_tcp_retransmit', not by MSS-specific errors. Option D is wrong because hardware acceleration failure would manifest as high CPU usage or counters like 'flow_hw_accel_fail', not as TCP MSS aging errors.

344
MCQhard

A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?

A.The tunnel interface is not in a virtual router.
B.The firewall does not have a route to the virtual IP pool.
C.The security policy does not allow traffic from the VPN zone.
D.The IP pool for the VPN client is exhausted.
AnswerB

Without a route for the virtual IP pool, the firewall cannot route return traffic to the tunnel interface.

Why this answer

When a GlobalProtect gateway uses an IPSec tunnel, the client receives an IP address from a virtual IP pool assigned to the tunnel interface. If the firewall lacks a route to that virtual IP pool, return traffic from internal resources cannot reach the client, even though the tunnel is established and the client has an IP. This is a common misconfiguration because the tunnel interface itself does not automatically inject a route for the pool into the virtual router.

Exam trap

The trap here is that candidates assume a successful tunnel establishment and IP assignment guarantee connectivity, overlooking the separate requirement for a return route to the virtual IP pool.

How to eliminate wrong answers

Option A is wrong because the tunnel interface must be assigned to a virtual router for the IPSec tunnel to establish and for the client to receive an IP address; if it were missing, the tunnel would not come up. Option C is wrong because security policies are evaluated after routing, and if there is no route to the virtual IP pool, traffic will be dropped before reaching the policy engine, so the policy is not the primary cause. Option D is wrong because if the IP pool were exhausted, the client would not receive an IP address and would fail to connect entirely, but the question states the client does receive an IP address.

345
MCQhard

Refer to the exhibit. An administrator has configured this decryption policy but users in the 10.1.1.0/24 subnet receive certificate warnings when accessing HTTPS sites. What is the most likely cause?

A.The rule should be at the top of the rulebase
B.The destination address should be specific
C.The application should be web-browsing
D.The decryption certificate is not trusted by clients
AnswerD

Clients must trust the firewall's CA certificate for seamless decryption; otherwise, certificate warnings appear.

Why this answer

Option D is correct because certificate warnings occur when the decryption certificate used by the firewall is not trusted by the client machines. In a forward proxy decryption scenario, the firewall generates a new certificate on-the-fly for each HTTPS session, and if that certificate is not installed in the client's trusted root store, the browser will display a security warning. This is the most common cause of certificate warnings in decryption deployments.

Exam trap

Palo Alto Networks often tests the distinction between rule configuration issues (like order or application matching) and certificate trust issues, leading candidates to focus on policy settings rather than the fundamental requirement that clients must trust the decryption CA.

How to eliminate wrong answers

Option A is wrong because rule order affects which rule matches traffic, but moving the rule to the top would not resolve certificate trust issues; the warning is caused by the certificate itself, not by rule precedence. Option B is wrong because making the destination address more specific would only narrow the scope of decryption, but the certificate warning would still occur for any traffic that matches the rule if the certificate is not trusted. Option C is wrong because the application 'web-browsing' is typically used for HTTP/HTTPS traffic, but the decryption policy already uses 'ssl' as the service, which correctly identifies HTTPS traffic; changing the application would not address the certificate trust problem.

346
MCQeasy

A small company has two sites connected by a policy-based IPsec VPN. Users at Site B report they cannot reach a server at Site A with IP 10.1.1.100. The firewall administrator checks the VPN monitor and sees the tunnel is active and IKE SAs are up. From the Site B firewall, a ping to 10.1.1.100 succeeds. However, a user on a PC (192.168.50.10) behind the Site B firewall cannot ping 10.1.1.100. The security policy on the Site B firewall allows traffic from trust to VPN zones. What is the most likely cause of the issue?

A.The security policy on Site B does not include the user subnet as a source VPN zone traffic
B.NAT is translating the user's IP to an incorrect address
C.The IPsec tunnel has a misconfigured proxy ID
D.The Site A firewall has a route missing for the Site B user subnet
AnswerA

The policy must have the correct source zone (trust) and destination zone (VPN) and include the user subnet.

Why this answer

Option B is correct because the tunnel is policy-based and needs a security policy that includes the user subnet. Even though a general rule exists, it may not match the specific source. Option A is incorrect because the tunnel is up.

Option C is incorrect because ping from firewall works. Option D is incorrect because routing is fine since the firewall can reach the destination.

347
MCQeasy

A healthcare organization recently replaced their primary internet circuit and changed the next-hop IP for the default route from 203.0.113.1 to 198.51.100.1. After the change, all internet traffic is failing. The firewall is a PA-220 running PAN-OS 9.1. The administrator verifies that the new default route is present in the virtual router and that the security policies are unchanged. The IP address configuration on the ethernet interface is correct and the link is up. When pinging 8.8.8.8 from the firewall's management interface, it succeeds. But traffic from internal hosts fails. The traffic log shows 'drop' with reason 'route - no route to host'. What is the most likely cause?

A.The default route is not in the same virtual router as the internal zones.
B.The new internet circuit does not allow ICMP.
C.The internal hosts have incorrect DNS settings.
D.The ARP table for the gateway is stale.
AnswerA

If internal zones are in a different VR, traffic from them cannot use the default route, resulting in no route to host.

Why this answer

Option B is correct because internal zones may be in a different virtual router (VR) that still has the old default route or lacks the new one, causing the 'no route to host' error.

348
MCQmedium

Refer to the exhibit. A network engineer notices that logs for this rule are not being forwarded to the external syslog server. The syslog server profile is configured correctly. What is the most likely cause?

A.The log-setting profile "syslog-forwarding-profile" is missing from the Log Forwarding profiles configuration.
B.The rule does not specify a destination zone.
C.The log-start is set to no, preventing session start logs from being generated.
D.The application web-browsing does not generate logs.
AnswerA

The referenced Log Forwarding profile must be defined to enable forwarding.

Why this answer

The rule references a log-setting profile named "syslog-forwarding-profile". If this profile is not defined under Objects > Log Forwarding, logs will not be forwarded regardless of the server profile configuration. Option A is correct.

Option B is incorrect because log-end is set to yes, which forwards session end logs. Option C is incorrect because destination zones are not required for logging. Option D is incorrect because web-browsing application does generate logs.

349
MCQeasy

A firewall is experiencing performance issues. The administrator wants to collect diagnostic data for TAC analysis. Which command generates a comprehensive support file?

A.debug system dump
B.show system resources
C.show log system
D.generate tech-support file
AnswerD

This creates a support file in the opt directory.

Why this answer

The 'generate tech-support file' command collects a comprehensive archive of system logs, configuration, resource utilization, and diagnostic data into a single file, which is the standard method for providing TAC with the necessary information to analyze performance issues. This command is specifically designed for troubleshooting and support scenarios, unlike other commands that only capture partial or real-time data.

Exam trap

Palo Alto Networks often tests the distinction between commands that provide real-time snapshots (like 'show system resources') versus commands that generate a comprehensive diagnostic archive (like 'generate tech-support file'), leading candidates to mistakenly choose a command that only shows current state rather than the full dataset needed for TAC analysis.

How to eliminate wrong answers

Option A is wrong because 'debug system dump' is not a valid command on Palo Alto Networks firewalls; the correct command for generating a core dump or debug data is 'debug system core-dump', and it does not produce a comprehensive support file. Option B is wrong because 'show system resources' only displays current CPU, memory, and disk usage in real-time, which is insufficient for TAC analysis as it lacks historical logs, configuration, and other diagnostic data. Option C is wrong because 'show log system' only displays system logs from the log buffer or disk, but it does not include configuration, resource snapshots, or other critical diagnostic information needed for a full TAC investigation.

350
MCQmedium

In an Active/Passive HA pair, which statement is true regarding configuration synchronization?

A.Configuration is not synced automatically; the administrator must export and import.
B.Only committed changes on the active are synced to the passive.
C.All configuration changes on the active peer are automatically synced to the passive.
D.The passive peer initiates the sync.
AnswerB

Configuration is synced after a commit operation.

Why this answer

In an Active/Passive HA pair, configuration synchronization occurs only after changes are committed on the active firewall. The passive peer then receives the committed configuration via the HA control link (using TCP port 2928 by default). This ensures that only validated, committed changes are propagated, preventing the passive from receiving uncommitted or partial configurations that could cause instability.

Exam trap

The trap here is that candidates often assume all configuration changes (including uncommitted candidate changes) are synced in real time, but Palo Alto Networks only syncs committed configurations to maintain consistency and prevent partial or broken configurations from being applied to the passive peer.

How to eliminate wrong answers

Option A is wrong because configuration synchronization in Active/Passive HA is automatic after a commit on the active peer, not requiring manual export/import. Option C is wrong because not all changes are synced automatically; only committed changes are synced—uncommitted changes (e.g., pending candidate config) are not propagated to the passive. Option D is wrong because the active peer initiates the sync after a commit, not the passive; the passive passively receives the configuration updates.

351
MCQhard

A network engineer is deploying a new firewall to inspect traffic between two VLANs. The requirement is to block all traffic except HTTP and HTTPS from the internal network to a specific web server in the DMZ. The engineer applies a security policy with the following configuration: source zone Internal, destination zone DMZ, source address internal_subnet, destination address web_server, application set to 'web-browsing' and 'ssl', and action set to 'allow'. However, users report that they cannot access the web server. Which change must be made to the policy to resolve the issue?

A.Add the service objects for HTTP (tcp/80) and HTTPS (tcp/443) to the rule
B.Configure source NAT on the internal zone
C.Create a separate rule for HTTP and another for HTTPS
D.Move the security policy rule to a higher priority in the rulebase
AnswerA

While applications are defined, the firewall may need explicit service binding to ensure the traffic matches; in some scenarios, the application set alone may not be enough if the web server uses non-standard ports or if the application is not fully decoded.

Why this answer

The policy allows traffic based on application signatures ('web-browsing' and 'ssl'), but the firewall must also match the service (TCP ports 80 and 443) to correctly identify and permit the traffic. Without explicit service objects, the firewall may not properly associate the application traffic with the allowed ports, causing the traffic to be blocked. Adding service objects for HTTP and HTTPS ensures the policy matches both the application and the expected ports, resolving the access issue.

Exam trap

The trap here is that candidates assume application-based policies automatically permit traffic on the standard ports for those applications, but Palo Alto firewalls require explicit service objects to match the transport layer ports, even when using App-ID.

How to eliminate wrong answers

Option B is wrong because source NAT is not required for traffic between VLANs within the same firewall; it is used to translate private IPs to routable addresses for external networks, not to permit traffic. Option C is wrong because a single rule can contain multiple applications (web-browsing and ssl) and services; separate rules are unnecessary and would not fix the underlying issue of missing service objects. Option D is wrong because rule priority affects order of evaluation but does not change the fact that the policy lacks the required service objects; moving it higher would not make the traffic match if the service condition is missing.

352
Multi-Selecteasy

Which TWO of the following are required to configure a Palo Alto Networks firewall for centralized management by Panorama?

Select 2 answers
A.Configure a pre-shared key for authentication.
B.Ensure the management interface IP is reachable from Panorama.
C.Enable the XML API on the firewall.
D.Add the firewall's serial number to Panorama.
E.Define a device group in Panorama.
AnswersB, D

Panorama needs IP connectivity to the firewall's management interface.

Why this answer

Option A is correct because the firewall's serial number must be added to Panorama for identification. Option B is correct because the management interface must be reachable from Panorama to establish communication. Option C is not required; XML API is not necessary for basic management.

Option D is not required; a shared secret is not mandatory (certificate or pre-shared key can be used but not required). Option E is not required; a device group is used for grouping but not a prerequisite for management.

353
MCQmedium

A company uses GlobalProtect with internal gateways for accessing data center resources. Users on the internal network should not use the VPN. What is the best practice configuration?

A.Use the same portal for both internal and external with a single gateway.
B.Use the Internal Gateway with a pre-logon check.
C.Set the gateway to require internal client detection via IP range exclusion.
D.Disable the GlobalProtect agent for internal IP ranges.
AnswerB

Correct. Internal Gateway automatically detects internal connectivity and skips VPN.

Why this answer

The GlobalProtect internal gateway feature allows the agent to detect when the user is inside the corporate network and bypass tunnel establishment.

354
MCQmedium

An engineer notices that the HA pair is not synchronizing configuration changes. The 'show high-availability sync-status' output shows 'sync-failure'. What is the first step to troubleshoot?

A.Verify HA1 link status and IP connectivity between peers
B.Disable preemption on the active firewall
C.Check the HA2 link session synchronization status
D.Reboot both firewalls to clear the failure
AnswerA

HA1 is used for configuration synchronization.

Why this answer

Option A is correct because the first step is to check the HA1 link connectivity, as config sync uses HA1. Option B is wrong because HA2 is for data sync. Option C is wrong because after checking connectivity.

Option D is wrong because preempt is about active/passive role.

355
MCQeasy

To reduce the number of authentication prompts for users accessing multiple applications through the firewall, which configuration is recommended?

A.Increase the authentication timeout value
B.Enable session cookies in the authentication policy
C.Use certificate-based authentication
D.Disable authentication for commonly used applications
AnswerB

Session cookies maintain authentication state and reduce prompts.

Why this answer

Option A is correct because enabling session cookies allows users to skip re-authentication for a set duration. Option B is incorrect because certificate-based authentication requires certificates on all devices. Option C is incorrect because increasing authentication timeout still requires initial authentication per session.

Option D is incorrect because disabling authentication for certain apps defeats the purpose.

356
MCQhard

During a Panorama upgrade from version 9.0 to 9.1, the administrator notices that the commit fails on one of the managed firewalls with the error: 'Mismatched content version'. What is the most likely cause?

A.The administrator forgot to push dynamic updates before the upgrade.
B.The firewall has an incompatible version of content updates installed.
C.The firewall is not licensed for the new Panorama version.
D.The firewall's software version is not compatible with Panorama 9.1.
AnswerB

Panorama 9.1 requires a minimum content version on managed firewalls; if not met, commit fails.

Why this answer

Option B is correct because the 'Mismatched content version' error occurs when the content (threat/application) version on the firewall is not compatible with the Panorama version being used. During a Panorama upgrade, the content version database format may change, and if the firewall has an older or incompatible content update installed, Panorama cannot validate the commit. This typically requires updating the firewall's content version to match the Panorama version's supported content database.

Exam trap

The trap here is that candidates often confuse 'content version mismatch' with 'PAN-OS version mismatch' or assume it is a licensing issue, but the error specifically points to the content database version incompatibility, not the base software version or license status.

How to eliminate wrong answers

Option A is wrong because forgetting to push dynamic updates before the upgrade would not cause a 'Mismatched content version' error; it might cause missing threat signatures or outdated content, but the error specifically indicates a version incompatibility, not a missing push. Option C is wrong because licensing issues for Panorama would typically result in license validation errors or feature restrictions, not a content version mismatch during commit. Option D is wrong because a firewall software version incompatibility with Panorama 9.1 would produce a 'Software version mismatch' or 'Incompatible PAN-OS version' error, not a content version mismatch; the error is specifically about content updates, not the base PAN-OS version.

357
MCQhard

An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?

A.The portal service is not running
B.The portal's IP address is not routable from the internet
C.The portal certificate's subject name does not match the portal URL
D.The client does not trust the certificate authority that signed the portal certificate
AnswerD

The TLS handshake fails because the client cannot verify the server certificate.

Why this answer

The firewall log shows 'TLS handshake failed', which indicates that the SSL/TLS negotiation between the GlobalProtect client and the portal failed. Since users can reach the portal's IP address from the internet, the issue is not network connectivity but certificate validation. The most common cause is that the client does not trust the internal CA that signed the portal certificate, so the client rejects the certificate during the TLS handshake, causing the failure.

Exam trap

The trap here is that candidates often confuse a certificate name mismatch (subject name vs. URL) with a trust issue, but the 'TLS handshake failed' log entry specifically points to a failure in the certificate chain validation, not a name mismatch, which would produce a different error or warning.

How to eliminate wrong answers

Option A is wrong because if the portal service were not running, the connection would fail at a lower level (e.g., TCP connection refused or timeout), not specifically with a 'TLS handshake failed' log entry. Option B is wrong because the scenario explicitly states that users can reach the portal's IP address from the internet, so the IP is routable and connectivity exists. Option C is wrong because a subject name mismatch would typically cause a browser warning or a 'certificate name mismatch' error, not a generic 'TLS handshake failed' log entry; the TLS handshake can still complete if the client trusts the CA, even if the name doesn't match, though the client may then disconnect.

358
MCQhard

Refer to the exhibit. A firewall log shows these messages for an IPSec tunnel. Which configuration mismatch is the likely cause?

A.IKE Phase 1 proposal mismatch.
B.Preshared key mismatch.
C.IKE Phase 2 proposal mismatch.
D.Invalid peer IP address.
AnswerC

Correct. The warning explicitly states Phase 2 negotiation failed.

Why this answer

The log indicates Phase 2 negotiation failed due to no acceptable proposal set. This points to a mismatch in IPSec parameters (e.g., encryption, authentication, lifetime).

359
MCQhard

A medium-sized enterprise has a PA-3220 firewall deployed in a data center with two ISPs (ISP-A and ISP-B) for redundancy. The firewall is configured with two virtual routers: VR-Trust for internal networks and VR-Untrust for external connections. Each ISP is connected to a separate physical interface (ethernet1/1 for ISP-A, ethernet1/2 for ISP-B) and both are placed in VR-Untrust with static default routes. The internal network uses 10.0.0.0/16. The firewall has a security policy that allows all outbound traffic from internal to external. Recently, users have reported that internet access is slow during peak hours. The administrator checks the dataplane CPU and sees it averaging 80-90%. The session count is 200,000 out of a maximum of 500,000. The administrator also notices that the firewall is using only ISP-A for all outbound traffic, even though both ISPs have equal bandwidth. The administrator wants to reduce CPU usage and utilize both ISP links. Which action should the administrator take?

A.Configure ECMP on VR-Untrust with source IP hash load balancing
B.Increase the maximum session limit to 1,000,000
C.Disable logging for all security policies
D.Configure the firewall to use active/passive ISP failover
AnswerA

ECMP distributes traffic across both ISPs, reducing CPU load.

Why this answer

The administrator needs to reduce CPU usage and utilize both ISP links. Configuring ECMP (Equal-Cost Multi-Path) on VR-Untrust with source IP hash load balancing allows the firewall to distribute outbound traffic across both ISP links based on the source IP hash, which spreads sessions across multiple paths without requiring policy-based forwarding. This reduces the load on a single link and can help lower CPU utilization by balancing the session processing load across both interfaces, as the firewall can use multiple next hops for the same destination.

Exam trap

The trap here is that candidates may confuse ECMP with active/passive failover, thinking that redundancy alone solves load issues, but ECMP is required for active-active load sharing across equal-cost paths.

How to eliminate wrong answers

Option B is wrong because increasing the maximum session limit to 1,000,000 does not address the high CPU usage or the underutilization of ISP-B; it only allows more sessions, which could worsen CPU load. Option C is wrong because disabling logging for all security policies may reduce CPU overhead slightly but does not solve the core issue of single-link usage and would compromise security monitoring. Option D is wrong because configuring active/passive ISP failover would keep only one ISP active at a time, failing to utilize both links for load sharing and not reducing CPU usage from the active link's overload.

360
MCQmedium

A large enterprise uses Panorama to manage 100+ firewalls. The security team wants to deploy a new security policy rule to block a specific application across all firewalls. The rule must be placed before the existing rules. The administrator creates the rule in the appropriate rulebase in the device group and pushes. However, the rule appears at the end of the rulebase on the managed firewalls. What is the most likely cause?

A.The firewall's local rulebase overrides the Panorama rule.
B.The rule was created in a pre-rulebase instead of post-rulebase.
C.The rule was added to a different device group.
D.The rule ordering was not adjusted in the device group.
AnswerD

The rule must be moved to the desired position using the Panorama rule ordering interface.

Why this answer

Option B is correct because when adding a rule via Panorama, the rule order must be explicitly set using drag-and-drop or ordering options. If the administrator did not adjust the order, the rule will be appended at the end. Option A is incorrect because pre-rules are placed before local rules, but ordering still applies.

Option C is incorrect because Panorama rules take precedence over local rules unless local rules are configured to override. Option D is incorrect because the rule was created in the correct device group (as stated).

361
MCQmedium

Based on the exhibit, what is the most likely cause for the majority of bypassed sessions?

A.The firewall's SSL/TLS service profile does not include the cipher suites used by the clients or servers.
B.The firewall is overloaded and cannot handle more decryption sessions.
C.The decryption certificate is not trusted by clients.
D.There is a network connectivity issue between firewall and servers.
AnswerA

Most bypasses are due to unsupported ciphers.

Why this answer

The majority of bypassed sessions are most likely caused by a cipher mismatch between the firewall's SSL/TLS service profile and the clients or servers. When the firewall decrypts traffic, it must negotiate a cipher suite that both the client and server support; if the service profile does not include the cipher suites used by the endpoints, the firewall cannot complete the SSL/TLS handshake and bypasses the session. This is a common misconfiguration in Palo Alto Networks firewalls where the SSL/TLS service profile's cipher list is too restrictive.

Exam trap

The trap here is that candidates often confuse 'bypassed sessions' with 'decryption failures' due to certificate issues or network problems, but bypassed sessions specifically indicate the firewall intentionally skipped decryption due to configuration mismatches like cipher or protocol version incompatibility.

How to eliminate wrong answers

Option B is wrong because firewall overload typically results in session drops or resource exhaustion errors, not a high percentage of bypassed sessions; bypassed sessions indicate the firewall intentionally skipped decryption due to policy or configuration issues, not capacity limits. Option C is wrong because an untrusted decryption certificate causes client-side certificate warnings or connection failures, not bypassed sessions; bypassed sessions occur when the firewall cannot decrypt, not when the client rejects the certificate. Option D is wrong because a network connectivity issue between the firewall and servers would cause session timeouts or connection resets, not bypassed sessions; bypassed sessions are logged when the firewall decides not to decrypt, not when it cannot reach the server.

362
MCQmedium

A remote user is unable to connect to the GlobalProtect gateway. The user's client shows 'Connecting' but never establishes a tunnel. The firewall shows no drops in the GlobalProtect logs. Which of the following should be checked first?

A.Verify that the GlobalProtect portal is reachable from the internet.
B.Check if the user's authentication credentials are correct.
C.Confirm that the user's client is on the same subnet as the gateway.
D.Ensure the gateway's certificate is trusted by the client machine.
AnswerD

If the client does not trust the gateway certificate, the SSL handshake fails and the connection never establishes.

Why this answer

Option D is correct because the Gateway certificate is crucial for SSL/TLS handshake; if the client does not trust it, the connection fails silently. Option A is wrong because the portal is not involved in the gateway tunnel establishment. Option B is wrong because the client can still connect if it is not on the internal network (remote access).

Option C is wrong because gateway configuration should be checked after authentication issues.

363
MCQmedium

A security team is implementing SSL Decryption. They want to ensure that traffic to health-related websites is not decrypted due to privacy concerns. Which method should they use to exclude this traffic?

A.Use a source IP address exclusion list in the decryption policy.
B.Disable decryption for all sites that use certificate pinning.
C.Add the domain names to a custom URL category and create a no-decryption rule matching that category.
D.Configure a decryption profile to exclude traffic based on App-ID.
AnswerC

This approach precisely excludes specific sites from decryption while allowing decryption for others.

Why this answer

Option C is correct because Palo Alto Networks firewalls allow you to create custom URL categories containing specific domain names (e.g., health-related sites) and then reference that category in a decryption policy rule set to 'no-decrypt'. This ensures traffic matching those domains is excluded from SSL decryption, addressing privacy concerns without affecting other traffic.

Exam trap

The trap here is that candidates often confuse App-ID with URL filtering, thinking App-ID can selectively exclude traffic based on domain names, but App-ID operates at the application layer and cannot parse individual URLs within encrypted sessions without decryption.

How to eliminate wrong answers

Option A is wrong because source IP address exclusion lists in decryption policy only exclude traffic based on IP addresses, not domain names; health-related websites often use CDNs or load balancers with dynamic IPs, making IP-based exclusion impractical and incomplete. Option B is wrong because disabling decryption for all sites that use certificate pinning is a broad, security-weakening approach that would exclude many non-health sites and is not a precise method for excluding specific health-related domains. Option D is wrong because App-ID identifies applications (e.g., web-browsing, SSL) but cannot distinguish between specific domain names within an encrypted session; it cannot selectively exclude traffic to health-related websites based on URL or domain.

364
MCQhard

In an HA active/passive setup, the engineer wants to ensure that during a failover, existing FTP data sessions are not interrupted. What additional configuration is required beyond default session synchronization?

A.Use HA3 link for session synchronization
B.Enable asymmetric routing support
C.Enable UDP session synchronization
D.Configure an application layer gateway (ALG) for FTP
AnswerD

ALG ensures FTP control and data sessions remain intact.

Why this answer

Option C is correct because FTP is an application-layer protocol that requires ALG support; session sync alone does not handle FTP data connections. Option A is wrong because asymmetric routing is not related. Option B is wrong because UDP session sync is not needed for FTP.

Option D is wrong because HA3 is for packet forwarding, not session sync.

365
Multi-Selectmedium

Which TWO of the following are true regarding Panorama's templates and device groups?

Select 2 answers
A.Device groups can only contain firewalls of the same model.
B.Templates are used to push network configurations such as interfaces, virtual routers, and zones.
C.Templates override device group settings when both are applied.
D.Panorama cannot manage firewalls in different geographic locations.
E.Shared policies are defined in the 'Shared' device group and are inherited by all other device groups.
AnswersB, E

Templates are for network settings.

Why this answer

Option B is correct because templates in Panorama are specifically designed to manage network-level configurations, including interfaces, virtual routers, zones, and other data-plane settings. This separation allows administrators to apply consistent network settings across multiple firewalls while using device groups for policy-based configurations.

Exam trap

The trap here is confusing the roles of templates and device groups, leading candidates to think templates override device group settings or that device groups are model-specific, when in fact they are independent configuration layers with different purposes.

366
MCQeasy

A network administrator wants to verify if a specific internal IP address (10.1.1.100) is being translated to a public IP when accessing the internet. Which CLI command should be used?

A.show running nat-policy
B.show session all filter source 10.1.1.100
C.show nat rule
D.show address 10.1.1.100
AnswerB

This command displays all active sessions from the specified source, including NAT source and destination translations.

Why this answer

Option C is correct because 'show session all filter source 10.1.1.100' will display all sessions originating from that IP, including NAT translations. Option A shows NAT rules but not active translations. Option B shows the running configuration of NAT rules.

Option D shows addresses but not active translations.

367
MCQhard

An administrator is troubleshooting a situation where traffic from a specific application is being dropped by the firewall. The security policy allows the application. The firewall logs show the session is denied, and the reason is 'application mismatch'. What does this indicate?

A.The firewall's App-ID identified the traffic as a different application than the one specified in the rule
B.The application is not recognized by the firewall and is treated as unknown
C.The security rule is not configured to allow any application
D.The firewall's SSL decryption is misconfigured
AnswerA

The firewall uses App-ID to identify traffic; if the application detected does not match the rule's allowed application, the session is denied.

Why this answer

The 'application mismatch' log reason indicates that the firewall's App-ID engine identified the traffic as a different application than the one specified in the security rule. Even though the rule allows the application you intended, the actual traffic does not match that App-ID signature, so the session is denied. This is a common scenario when the application classification does not align with the rule's application object.

Exam trap

The trap here is that candidates often assume 'application mismatch' means the application is unknown or unsupported, but it specifically means the traffic was identified as a different application than what the rule expects, highlighting the importance of verifying App-ID results versus rule configuration.

How to eliminate wrong answers

Option B is wrong because 'application mismatch' is a specific denial reason that occurs when the traffic is recognized but as a different application, not when it is unknown (unknown traffic would show 'unknown-tcp' or 'incomplete' App-ID). Option C is wrong because the scenario explicitly states the security policy allows the application, so the rule is configured to allow an application; the issue is a mismatch, not a missing 'any' application. Option D is wrong because SSL decryption misconfiguration would cause decryption errors or 'ssl-decrypt' related drops, not an 'application mismatch' denial; App-ID can still match encrypted traffic based on metadata or SNI.

368
MCQmedium

The security policy rule shown in the exhibit has log-start and log-end both set to 'no', but a log-forwarding profile is configured. Which statement best describes the logging behavior for sessions matching this rule?

A.Sessions are logged only if the session duration exceeds a threshold.
B.Sessions are logged to Panorama immediately when the session starts.
C.Sessions are not logged because logging is disabled.
D.Sessions are logged to Panorama only when the session ends.
AnswerC

Without log-start or log-end, no logs are generated, so forwarding does nothing.

Why this answer

When both log-start and log-end are set to 'no' in a security policy rule, session logging is disabled regardless of any log-forwarding profile attached. The log-forwarding profile only specifies where logs are sent if logging is enabled; it does not override the explicit logging disable. Therefore, no session logs are generated for this rule.

Exam trap

The trap here is that candidates assume a log-forwarding profile overrides the log-start/log-end settings, but in PAN-OS, the profile only forwards logs that are already enabled by those flags.

How to eliminate wrong answers

Option A is wrong because there is no threshold-based logging behavior in PAN-OS; logging is either enabled or disabled per rule. Option B is wrong because log-start being set to 'no' means no logs are generated at session start, and the log-forwarding profile cannot enable logging on its own. Option D is wrong because log-end being set to 'no' prevents end-of-session logging, and the log-forwarding profile does not activate logging when logging is disabled.

369
MCQhard

Refer to the exhibit. An active/active HA pair shows the local firewall as active-secondary. The last failover reason is 'path-group-down'. What should the administrator investigate first?

A.Inspect the session table for asymmetric routing between the firewalls.
B.Verify the link status of interface ethernet1/2 and its association with the path monitoring group.
C.Ensure the HA2 link is properly connected and firewalls can synchronize sessions.
D.Check the HA priority settings to ensure the local firewall should be active-secondary.
AnswerB

The link is down, and if it is used for path monitoring, it could cause the path group to go down.

Why this answer

The 'path-group-down' failover reason indicates that the firewall detected a failure in a monitored path group, which is associated with specific interfaces. Option B is correct because the administrator should first verify the link status of interface ethernet1/2 and its association with the path monitoring group, as this directly addresses the root cause of the failover trigger. Path monitoring is used to detect upstream connectivity loss and can cause a firewall to transition to active-secondary if the monitored path fails.

Exam trap

The trap here is that candidates often confuse 'path-group-down' with HA link failures or session synchronization issues, leading them to investigate HA2 links or session tables instead of the specific interface and path monitoring configuration.

How to eliminate wrong answers

Option A is wrong because asymmetric routing between firewalls would typically cause session setup failures or session timeouts, not a 'path-group-down' failover reason; path monitoring is independent of session table symmetry. Option C is wrong because the HA2 link is used for session synchronization and state propagation, but a 'path-group-down' failover is triggered by path monitoring, not by HA2 link failure; an HA2 link failure would show a different failover reason such as 'ha2-link-down'. Option D is wrong because HA priority settings determine which firewall becomes active-primary or active-secondary during initial election or preemption, but the 'path-group-down' reason indicates a dynamic failover due to a path monitoring event, not a priority mismatch.

370
Multi-Selectmedium

Which TWO of the following are mandatory requirements for forming an active/passive HA pair between two Palo Alto Networks firewalls? (Choose exactly two.)

Select 2 answers
A.Both firewalls must be the same hardware model.
B.Both firewalls must have the same number of active VLANs.
C.Both firewalls must run the same PAN-OS version.
D.Both firewalls must use the same management interface IP address.
E.Both firewalls must have identical license subscriptions.
AnswersA, C

Different models are not compatible for HA.

Why this answer

Option A is correct because for an active/passive HA pair, both firewalls must be the same hardware model to ensure identical hardware resources (e.g., CPU, memory, ASICs) and port layouts. This is a mandatory requirement because the HA synchronization process relies on matching hardware capabilities to avoid configuration mismatches and failover failures.

Exam trap

The trap here is that candidates often confuse 'same hardware model' with 'same number of active VLANs' or 'identical licenses,' but Palo Alto Networks only mandates hardware model and PAN-OS version match for HA formation, not configuration or licensing details.

371
MCQeasy

A user reports that after SSL decryption was enabled, certain web applications fail to load completely. What is the most likely reason?

A.The URL is not allowed in the decryption policy.
B.The user's browser proxy settings are incorrect.
C.The application uses certificate pinning which rejects the firewall's decryption certificate.
D.The firewall's decryption is causing excessive latency.
AnswerC

Certificate pinning is a common cause of failure with SSL decryption.

Why this answer

Certificate pinning is a security mechanism where an application embeds the exact certificate or public key of the server it expects to communicate with. When SSL decryption is enabled, the firewall replaces the original server certificate with its own decryption certificate. The application detects this mismatch and rejects the connection, causing it to fail to load completely.

This is a common issue with applications that implement strict certificate pinning, such as banking apps or certain mobile applications.

Exam trap

The trap here is that candidates often confuse certificate pinning with general certificate validation or assume that any decryption policy misconfiguration (like URL filtering) is the cause, rather than recognizing the specific application-level security mechanism that explicitly rejects the firewall's decryption certificate.

How to eliminate wrong answers

Option A is wrong because the URL being allowed or not in the decryption policy controls whether decryption is applied, but does not cause partial loading failures; if the URL is not allowed, decryption is simply not performed and the traffic passes through normally. Option B is wrong because incorrect browser proxy settings would typically cause a complete failure to reach any HTTPS sites, not selective failures with specific web applications after SSL decryption is enabled. Option D is wrong while excessive latency can degrade performance, it would not cause web applications to fail to load completely; the failure is due to certificate validation rejection, not timing out.

372
MCQmedium

A global company uses a pair of PAN-220 firewalls in an active/passive HA configuration at its headquarters. The firewalls have multiple virtual routers and dozens of zones. Recently, a network upgrade changed the physical topology: a new switch was placed between the firewalls and the ISP routers. After the upgrade, the passive firewall continuously shows 'suspended' state. The HA control link (HA1) and data link (HA2) are on separate dedicated interfaces. The Active firewall logs show: 'HA monitor peer unreachable' every few seconds. The engineer has verified IP connectivity between the HA interfaces using ping from the active to the passive HA1 IP. What is the most likely cause of the HA state issue?

A.The HA2 link is misconfigured or unplugged
B.The new switch introduces latency or jitter that exceeds the HA keepalive timeout
C.The session table on the active firewall is full, preventing HA keepalives
D.The HA1 encryption setting is mismatched between the two firewalls
AnswerB

HA keepalives are time-sensitive; a switch can add latency that makes the passive appear dead, even if basic connectivity exists.

Why this answer

The 'HA monitor peer unreachable' log combined with a 'suspended' passive firewall, despite confirmed IP connectivity on HA1, points to a failure in the HA keepalive mechanism. The new switch introduces latency or jitter that causes keepalive packets to arrive outside the default 2-second hello interval and 8-second dead-interval, triggering the active firewall to declare the peer unreachable. This is a classic issue when a switch is inserted into the HA path without adjusting the HA keepalive timers or ensuring the switch provides low-latency forwarding.

Exam trap

The trap here is that candidates assume ping success between HA interfaces guarantees HA keepalive success, but HA keepalives are more sensitive to jitter and latency than ICMP, and the 'suspended' state specifically indicates a keepalive timeout rather than a link or encryption failure.

How to eliminate wrong answers

Option A is wrong because the HA2 link is dedicated to session synchronization and state propagation, not keepalive monitoring; a misconfigured or unplugged HA2 would cause session sync failures but not the 'HA monitor peer unreachable' log or a 'suspended' state. Option C is wrong because a full session table on the active firewall would cause new session drops, not prevent HA keepalives, which are control-plane packets handled by the management plane and not subject to session table limits. Option D is wrong because an HA1 encryption mismatch would prevent the HA control link from establishing at all, resulting in a 'non-functional' or 'down' state, not a 'suspended' state with intermittent 'peer unreachable' logs.

373
MCQhard

A company has a security policy rule that allows application 'ssl' from the internal zone to the external zone. Users report that they cannot access certain HTTPS websites. Logs show that the traffic is being matched by a later rule that denies application 'web-browsing'. The administrator verifies that the target websites are using standard HTTPS (port 443). The firewall's application identification has correctly identified the traffic as 'web-browsing' instead of 'ssl'. What is the most likely reason?

A.The application 'ssl' is only used for SSL control traffic, not encrypted payload.
B.The security rule is misconfigured with the source zone incorrect.
C.The firewall's SSL decryption is enabled and re-identifies the application after decryption.
D.The firewall needs to have App-ID updated to recognize the websites.
AnswerC

After decryption, the firewall inspects the HTTP traffic and reclassifies it as 'web-browsing', which is then denied by a later rule.

Why this answer

Option C is correct because when SSL decryption is enabled, the firewall initially identifies the traffic as 'ssl' based on the SSL handshake. After decrypting the traffic, it re-inspects the HTTP payload and re-identifies the application as 'web-browsing'. This post-decryption re-identification causes the traffic to match a later rule that denies 'web-browsing', even though the initial rule allowed 'ssl'.

Exam trap

The trap here is that candidates assume the application identification remains static after decryption, not realizing that Palo Alto firewalls re-evaluate the application post-decryption, which can cause traffic to match a different rule than the one that matched the initial encrypted session.

How to eliminate wrong answers

Option A is wrong because 'ssl' is indeed used for encrypted payload traffic, not just control traffic; the distinction between 'ssl' and 'web-browsing' is based on whether the firewall can inspect the payload after decryption. Option B is wrong because the source zone is correctly set to internal, as users are accessing from the internal zone and the rule matches that zone; the issue is application re-identification, not zone misconfiguration. Option D is wrong because App-ID has correctly identified the traffic as 'web-browsing' after decryption, so an update would not change the behavior; the problem is the order of rule evaluation and the effect of decryption on application identification.

374
MCQmedium

An engineer wants to block the use of file-sharing application BitTorrent, but allow file transfers over SFTP which also uses port 22. What is the most effective way to achieve this using App-ID?

A.Create an application filter that matches sftp.
B.Use QoS to limit BitTorrent traffic.
C.Use an application override to classify all port 22 traffic as sftp.
D.Create a security rule that denies application 'bittorrent' and allows application 'sftp'.
AnswerD

Correct: This uses App-ID to differentiate and apply appropriate actions per application.

Why this answer

App-ID can differentiate between applications on the same port. Creating separate security rules for each application allows blocking one and allowing the other.

375
MCQmedium

A large enterprise uses a custom application that communicates over TCP port 8080 using HTTP. The application traffic is correctly identified as 'custom-app' by App-ID. Recently, the development team changed the application to use HTTPS on the same port. The firewall administrator updated the security policy to allow the application, using the same application name, but now the traffic is being denied. The firewall logs show the application as 'ssl' and the action 'deny'. The security policy has a rule that allows 'custom-app' from inside to outside. What should the administrator do to resolve this issue?

A.Create an application override for the traffic on port 8080.
B.Disable App-ID for that traffic and use a port-based policy.
C.Change the security policy rule to allow application 'ssl' instead.
D.Update the custom application definition to include SSL decryption and a hostname match.
AnswerD

This enables the firewall to decrypt and identify the HTTPS traffic as the custom application.

Why this answer

Option B is correct because the custom application definition was designed for HTTP, not HTTPS. To identify the new HTTPS traffic as the custom application, the administrator must update the definition to include SSL decryption and a hostname match, so that App-ID correctly recognizes the encrypted traffic. Option A is wrong because an override would bypass App-ID, losing visibility.

Option C is wrong because allowing all SSL traffic is too broad a security risk. Option D is wrong because disabling App-ID is not a best practice and reduces security.

Page 4

Page 5 of 7

Page 6

All pages