Palo Alto Networks Certified Network Security Engineer PCNSE (PCNSE) — Questions 376450

516 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQmedium

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. After a recent maintenance window, the passive firewall fails to synchronize its configuration from the active. The active firewall shows the HA1 link as down. Which two configuration settings must be verified to resolve this issue?

A.Verify that the HA2 link is configured and operational
B.Ensure that both firewalls have the same session setup mode (e.g., active-active vs active-passive)
C.Check that HA1 encryption is enabled on both devices
D.Verify the HA1 IP address and port settings, and confirm that the HA keepalive timer is identical on both peers
AnswerD

The HA1 link status depends on correct IP/port configuration and matching keepalive timers; mismatches can cause link down and sync failure.

Why this answer

The HA1 link is used for control-plane communication, including configuration synchronization and heartbeats. If the active firewall shows the HA1 link as down, the most likely cause is a mismatch in the HA1 IP address, port settings, or the HA keepalive timer between the two peers. Verifying and correcting these settings ensures the HA1 link can establish and maintain connectivity, allowing the passive firewall to synchronize its configuration.

Exam trap

The trap here is that candidates often confuse the roles of HA1 and HA2 links, assuming HA2 is required for configuration sync, or they assume HA1 encryption is mandatory for the link to be operational.

How to eliminate wrong answers

Option A is wrong because the HA2 link is used for session and state synchronization, not for configuration synchronization or heartbeat; a down HA2 link would not prevent configuration sync. Option B is wrong because the session setup mode (active-active vs active-passive) is a separate configuration that affects session ownership and forwarding, not the HA1 control link or configuration synchronization. Option C is wrong because HA1 encryption is optional and not required for basic HA1 link operation or configuration sync; enabling it would not resolve a link-down issue caused by IP/port or timer mismatches.

377
MCQhard

An organization has deployed GlobalProtect with certificate authentication. Users on macOS report that after updating their client, they cannot connect and see error 'Certificate validation failed: The certificate hash does not match.' What is the most likely cause?

A.The certificate pinning configuration on the gateway has a hash mismatch
B.The root CA certificate is not trusted on the client
C.The CRL is not reachable
D.The GlobalProtect gateway certificate is expired
AnswerA

Certificate pinning enforces specific hash; client update may change the hash.

Why this answer

Option A is correct because the error 'Certificate validation failed: The certificate hash does not match' specifically indicates a certificate pinning mismatch. GlobalProtect certificate pinning allows the gateway to enforce that the client's certificate matches a specific hash (SHA-256 fingerprint). When the client updates, its certificate may change (e.g., due to a new key pair or renewal), causing the hash stored in the gateway's pinning configuration to no longer match, resulting in this exact error.

Exam trap

The trap here is that candidates often confuse certificate pinning failures with general certificate validation issues (like trust or expiry), but the specific error message 'certificate hash does not match' is unique to pinning and not to standard PKI validation steps.

How to eliminate wrong answers

Option B is wrong because if the root CA certificate were not trusted on the client, the error would typically be 'untrusted root' or 'certificate not trusted', not a hash mismatch. Option C is wrong because an unreachable CRL would cause a revocation check failure (e.g., 'CRL not available' or 'certificate revoked'), not a hash mismatch. Option D is wrong because an expired gateway certificate would produce an 'expired certificate' error, not a hash mismatch; the hash mismatch error is specific to the client certificate's fingerprint not matching the pinned value.

378
Multi-Selectmedium

Which TWO of the following are minimum required configurations to enable User-ID on a Palo Alto Networks firewall? (Choose exactly two.)

Select 2 answers
A.Configure a server profile for LDAP or other authentication protocol.
B.Deploy a User-ID agent on every domain controller.
C.Enable User-ID on the firewall interface(s) where traffic is received.
D.Install a captive portal to authenticate users.
E.Configure a security policy rule that uses a user group as a source.
AnswersA, C

A server profile is necessary to retrieve user-to-IP mappings.

Why this answer

A is correct because User-ID requires a server profile (e.g., LDAP, Kerberos, or a WMI-based agent) to query the directory service for user-to-IP mappings. Without this profile, the firewall cannot resolve usernames from authentication events or directory lookups, which is the foundational step for User-ID functionality.

Exam trap

The trap here is that candidates often confuse optional enhancements (like captive portal or agent deployment on every DC) with the mandatory foundational components, leading them to select B or D instead of recognizing that only a server profile and interface enablement are strictly required.

379
MCQeasy

An administrator wants to view real-time CPU and memory usage on the firewall. Which CLI command should be used?

A.show system info
B.show routing route
C.show log system
D.show system resources
AnswerD

This shows CPU, memory, and disk usage in real-time.

Why this answer

The 'show system resources' command displays real-time CPU and memory utilization on a Palo Alto Networks firewall, including load averages, memory usage, and process-level details. This is the correct command for monitoring live resource consumption, as opposed to static system information or logs.

Exam trap

The trap here is that candidates confuse 'show system info' (static system details) with 'show system resources' (dynamic resource usage), as both commands start with 'show system' and seem related to system health.

How to eliminate wrong answers

Option A is wrong because 'show system info' displays static system information such as model, serial number, software version, and uptime, not real-time CPU or memory usage. Option B is wrong because 'show routing route' displays the routing table entries, which is unrelated to system resource monitoring. Option C is wrong because 'show log system' displays system event logs (e.g., configuration changes, alarms), not real-time CPU or memory metrics.

380
MCQhard

Refer to the exhibit. Based on the log entry, what action was taken on this traffic?

A.The traffic was allowed with a reset.
B.The action could not be determined.
C.The traffic was dropped.
D.The traffic was allowed and logged.
AnswerC

The action field explicitly states 'drop'.

Why this answer

The log entry shows the action field as 'drop', which indicates the firewall denied the traffic. In Palo Alto Networks firewalls, a 'drop' action means the packet was silently discarded without sending a TCP reset or ICMP unreachable message. Therefore, option C is correct.

Exam trap

Palo Alto Networks often tests the distinction between 'drop' and 'reset' actions, where candidates may mistakenly assume a dropped packet generates a TCP reset, but in Palo Alto firewalls, 'drop' is silent and 'reset' explicitly sends RST packets.

How to eliminate wrong answers

Option A is wrong because 'reset' would appear in the action field as 'reset-both', 'reset-client', or 'reset-server', not 'drop'. Option B is wrong because the action is explicitly logged as 'drop', so it can be determined. Option D is wrong because 'allow' would appear as 'allow' in the action field, and the traffic was dropped, not allowed.

381
MCQmedium

After enabling SSL Forward Proxy decryption, users report that they cannot access HTTPS websites and receive certificate errors. The firewall's decryption certificate is properly installed on client machines. What is the most likely cause?

A.The firewall's decryption certificate is not trusted by the clients' certificate store.
B.The decryption certificate has expired.
C.The decryption certificate is not renewed automatically.
D.The decryption certificate is self-signed.
AnswerA

Clients must trust the firewall's CA certificate to avoid warnings.

Why this answer

The most likely cause is that the firewall's decryption certificate is not trusted by the clients' certificate store. Even if the certificate is properly installed on client machines, if it is not explicitly added to the trusted root certification authorities store, browsers will reject the connection with certificate errors. SSL Forward Proxy decryption requires the firewall to generate a new certificate for each HTTPS session, signed by its own CA certificate; clients must trust that CA certificate to avoid warnings.

Exam trap

The trap here is that candidates often assume 'properly installed' means the certificate is trusted, but in SSL decryption, the certificate must be placed in the trusted root store, not just imported as a personal certificate; Cisco (Palo Alto) tests this distinction to catch those who overlook the specific trust store requirement.

How to eliminate wrong answers

Option B is wrong because an expired decryption certificate would cause certificate errors, but the question states the certificate is properly installed and users receive errors; expiration is a possible cause but not the most likely given the context of proper installation. Option C is wrong because automatic renewal of the decryption certificate is not a standard feature in PAN-OS; certificates must be manually renewed or replaced, so this is not a common cause of access issues. Option D is wrong because a self-signed certificate is the typical type used for SSL Forward Proxy decryption in Palo Alto firewalls; the issue is not that it is self-signed, but that it is not trusted by the clients.

382
MCQmedium

A user tries to connect to the GlobalProtect portal but receives 'Certificate validation failed'. What is the most likely missing configuration?

A.The root CA certificate is not imported into the firewall
B.The gateway's certificate is not configured
C.The user's client certificate is expired
D.The portal's certificate is not configured
AnswerA

The firewall must trust the CA that issued the client certificates.

Why this answer

For certificate-based client authentication, the firewall needs the root CA certificate of the client certificates imported; otherwise, it cannot validate the client certs.

383
MCQhard

Based on the exhibit, what is the most likely cause of the warnings?

A.The HA3 link is misconfigured
B.Configuration synchronization is failing
C.Both the primary and backup HA2 links are down
D.The HA2 keepalive timer is set too low
AnswerC

Warnings for both indicate link failure.

Why this answer

Option A is correct. The HA2 link (ethernet1/3) is down, and the backup link (ethernet1/5) also shows missing keepalive, indicating both primary and backup HA2 links are down. Option B is wrong because HA3 is for packet forwarding, not session sync.

Option C is wrong because HA2 timers are default. Option D is wrong because configuration sync uses HA1, not HA2.

384
MCQmedium

A company is migrating to cloud-based SaaS applications and wants to enforce SAML-based authentication with single logout. They have a Palo Alto firewall running the latest PAN-OS. What is the recommended configuration to enable SAML authentication for these applications?

A.Create an authentication profile with SAML identity provider and assign it to the application.
B.Configure GlobalProtect with SAML authentication to access the SaaS applications.
C.Use the User-ID agent to synchronize SAML sessions between the identity provider and the firewall.
D.Configure a SAML identity provider profile and create an authentication policy that enforces SAML authentication for the applications.
AnswerD

The authentication policy defines which applications require authentication and which authentication profile to use. SAML is supported for web applications.

Why this answer

Option C is correct because SAML authentication policy on the firewall is used to enforce SAML authentication for web-based applications, and enabling the authentication policy allows the firewall to redirect users to the SAML IdP for authentication. Option A is partially correct but missing the policy component. Option B is for VPN access, not direct app authentication.

Option D is not relevant as User-ID agent does not handle SAML sessions.

385
MCQeasy

By default, what is the action on traffic between two different zones without any security rule?

A.deny
B.allow
C.depends on the application
D.prompt
AnswerA

By default, traffic between different zones is denied unless a security rule allows it.

Why this answer

By default, Palo Alto Networks firewalls implement an implicit deny rule for inter-zone traffic. This means that if no security rule explicitly matches traffic between two different zones, the firewall drops the packet and logs it as a deny action. This default behavior ensures that all cross-zone traffic must be explicitly allowed by a security policy, enforcing a zero-trust model.

Exam trap

The trap here is that candidates often confuse the default inter-zone action with intra-zone traffic (which is allowed by default) or assume that the firewall will prompt or log a warning, when in fact it silently denies without any user notification.

How to eliminate wrong answers

Option B is wrong because allowing inter-zone traffic by default would violate the principle of least privilege and create a security hole; Palo Alto firewalls never allow traffic without an explicit allow rule. Option C is wrong because the action is not dependent on the application; the firewall applies a default deny regardless of the application ID, and application identification only occurs after a rule match. Option D is wrong because the firewall does not prompt or ask for user input for inter-zone traffic; it silently drops the packet based on the implicit deny rule.

386
MCQhard

A security engineer is deploying a new PA-5220 firewall to replace an existing legacy firewall. The environment has complex routing with OSPF and BGP. The engineer configures the firewall with multiple virtual routers: one for the internal network, one for the DMZ, and one for the external connection to two ISPs. The firewall is placed in Layer 3 mode. After the cutover, users report that they can access the internet but internal traffic between two different subnets that are both in the internal virtual router fails to route properly. The engineer checks the routing table on the internal virtual router and sees correct OSPF learned routes. The security policies allow all traffic between those subnets. What is the most likely cause of the routing failure?

A.The firewall does not have a loopback interface for OSPF router-id
B.The security policy is not correctly identifying the traffic due to asymmetric routing
C.The internal interfaces are assigned to different virtual routers
D.The OSPF metric is too high, causing route preference issues
AnswerC

If the interfaces belong to different virtual routers, the firewall will not route between them by default without inter-VR route leaking or a shared VR.

Why this answer

The most likely cause is that the internal interfaces are assigned to different virtual routers. In a Palo Alto Networks firewall, Layer 3 interfaces belong to a specific virtual router, and routing between subnets in different virtual routers requires either a route leak or a shared virtual router. Since the engineer placed both subnets in the same internal virtual router but the interfaces are in different virtual routers, the firewall cannot route traffic between them even if the routing table and security policies are correct.

Exam trap

The trap here is that candidates often assume that security policies alone control traffic flow, forgetting that virtual routers create isolated routing domains, and that interfaces in different virtual routers cannot route to each other without explicit route leaking or redistribution.

How to eliminate wrong answers

Option A is wrong because a loopback interface for OSPF router-id is not required for OSPF to function; the firewall can use the highest IP address of any active interface or a manually configured router-id. Option B is wrong because asymmetric routing is not the issue here; the traffic is between two subnets within the same virtual router, and the security policy allows all traffic, so asymmetric routing would not cause a failure in this scenario. Option D is wrong because a high OSPF metric would affect route preference but would not prevent routing between directly connected subnets within the same virtual router; the firewall would still use connected routes or OSPF-learned routes with lower metrics.

387
MCQeasy

Refer to the exhibit. What does the serial number '0123456789' indicate?

A.The MAC address of the management interface
B.The model number of the firewall
C.The firmware version installed
D.The unique hardware identifier for licensing and support
AnswerD

The serial number is used for licensing and technical support identification.

Why this answer

The serial number '0123456789' is a unique hardware identifier assigned to each Palo Alto Networks firewall during manufacturing. It is used for licensing, support entitlement, and device identification in the Palo Alto Networks support portal, not for network-level addressing or software versioning.

Exam trap

The trap here is that candidates often confuse the serial number with the model number or MAC address, especially when the exhibit shows a generic string like '0123456789' that lacks the typical format of a Palo Alto Networks serial number (e.g., starting with 'PA' or a specific prefix).

How to eliminate wrong answers

Option A is wrong because the MAC address of the management interface is a separate, network-layer identifier used for Layer 2 communication, not the serial number. Option B is wrong because the model number (e.g., PA-5250) is a different alphanumeric string that identifies the hardware platform, not the unique serial number. Option C is wrong because the firmware version (e.g., PAN-OS 10.2.3) is a software release identifier displayed in the dashboard or CLI, not the hardware serial number.

388
Multi-Selecteasy

Which TWO components are part of the PAN-OS management plane?

Select 2 answers
A.SSL decryption engine
B.Packet buffer
C.Log collection and reporting
D.Management interface
E.App-ID engine
AnswersC, D

Log collection and reporting are handled by the management plane.

Why this answer

Log collection and reporting is a function of the management plane in PAN-OS. The management plane handles all non-traffic-forwarding tasks, including logging, configuration management, and reporting. This is distinct from the data plane, which processes actual network traffic.

Exam trap

The trap here is that candidates often confuse data plane functions (like SSL decryption, App-ID, and packet buffering) with management plane responsibilities, leading them to select options A, B, or E instead of recognizing that log collection and the management interface are purely management plane components.

389
MCQeasy

A company is deploying GlobalProtect for remote users and wants to enforce that only users with valid certificates are allowed to connect. Which configuration is required on the GlobalProtect gateway?

A.Define a tunnel interface with an IP address that matches the certificate subject
B.Set the gateway's IP pool to require certificate authentication
C.Configure a certificate profile in the gateway's authentication settings
D.Configure client authentication in the portal with a certificate profile
AnswerC

The gateway uses a certificate profile to validate client certificates during tunnel establishment.

Why this answer

Option B is correct because the gateway must use a certificate profile to authenticate client certificates. Option A is incorrect because client authentication in the portal is for portal access, not gateway. Option C is incorrect because the IP pool assigns IP addresses but does not enforce certificate authentication.

Option D is incorrect because the gateway's tunnel interface IP is unrelated to certificate authentication.

390
MCQhard

A security team needs to capture traffic for forensic analysis of a specific application that uses non-standard ports. The administrator wants to capture packets on the firewall for that application only, without affecting performance. Which method should be used?

A.Set up a port mirror on the upstream switch
B.Create an application override policy
C.Configure a PCAP filter in the firewall's packet capture feature
D.Use tcpdump on the management interface
AnswerC

PCAP filter selectively captures traffic based on specified criteria.

Why this answer

The firewall's built-in packet capture feature with a PCAP filter allows the administrator to capture only traffic matching specific criteria (e.g., application, source/destination IP, port) directly on the data plane, without impacting overall performance. This is the correct method because it isolates the target application's traffic for forensic analysis without requiring external devices or altering traffic flow.

Exam trap

The trap here is that candidates confuse a management-plane tool (tcpdump on the management interface) with a data-plane capture, or they assume port mirroring is the only way to capture traffic, overlooking the firewall's native, performance-friendly PCAP filter feature.

How to eliminate wrong answers

Option A is wrong because port mirroring on an upstream switch copies all traffic from the monitored port, not just the specific application, and it introduces additional load on the switch and firewall, potentially affecting performance. Option B is wrong because an application override policy changes how the firewall identifies and handles the application (e.g., by specifying a custom port), but it does not capture or log packet-level data for forensic analysis. Option D is wrong because tcpdump on the management interface only captures traffic destined to or originating from the management plane, not the data-plane traffic flowing through the firewall's forwarding path.

391
MCQeasy

A user reports that they cannot access a specific website. The firewall security policy allows web traffic. The administrator checks the traffic log and sees that the session is being denied due to a 'URL Filtering' block. What should the administrator do to allow access?

A.Disable URL filtering on the existing security rule
B.Check the user-ID mapping to ensure the user is authenticated
C.Create a new security rule allowing the user's IP to any
D.Add the URL to an allow list in the URL filtering profile
AnswerD

This allows the specific URL while keeping the profile active.

Why this answer

Option D is correct because the traffic log explicitly indicates a 'URL Filtering' block, meaning the firewall's URL filtering profile is denying the request based on the URL category or specific URL. Adding the URL to an allow list within the URL filtering profile overrides the block, allowing access while keeping the security rule and other filtering policies intact. This approach preserves security controls for other traffic and avoids disabling URL filtering entirely.

Exam trap

The trap here is that candidates may assume disabling URL filtering entirely (Option A) is the quickest fix, but the PCNSE exam tests the understanding that URL filtering profiles should be modified granularly using allow/block lists rather than disabling the feature completely.

How to eliminate wrong answers

Option A is wrong because disabling URL filtering on the existing security rule would remove all URL-based controls for that rule, potentially exposing the network to malicious or inappropriate websites, which is an overreaction to a single blocked URL. Option B is wrong because the user-ID mapping is irrelevant to a URL filtering block; URL filtering decisions are based on the URL category or list, not user authentication status, and the traffic log already shows the session is denied due to URL filtering, not authentication. Option C is wrong because creating a new security rule allowing the user's IP to any would bypass all security policies, including URL filtering, but it is an insecure and overly permissive solution that ignores the specific URL filtering block and could allow unrestricted access to any destination.

392
MCQhard

An administrator is configuring SSL Forward Proxy decryption and wants to ensure that traffic to internal servers with self-signed certificates is decrypted, but traffic to external banking sites is excluded from decryption. They have created a decryption policy with two rules: first rule with 'No Decrypt' for the external banking URLs, second rule with 'Decrypt' for all other traffic. However, the banking traffic is still being decrypted. What is the most likely issue?

A.The SSL Forward Proxy profile is set to ignore the decryption policy.
B.The firewall is using a different decryption port than 443.
C.The decryption policy rules are in the wrong order; the 'Decrypt' rule should be first.
D.The URL category for banking is not correctly identified.

Why this answer

Decryption policy rules are evaluated top-down. If the 'Decrypt' rule is placed first, it matches all traffic and decrypts it, including banking. The 'No Decrypt' rule must come before the 'Decrypt' rule.

393
Matchingmedium

Match each high availability (HA) term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One firewall handles traffic; the other stands by

Both firewalls handle traffic simultaneously

Keepalive messages exchanged between HA peers

Original active firewall reclaims role after recovery

Firewall that initially processed a session

Why these pairings

These are key concepts in Palo Alto Networks HA configuration.

394
MCQeasy

What is the recommended best practice for the HA2 keepalive timer in an active/passive HA configuration?

A.2000 ms
B.It should be left at the default value and not changed
C.500 ms
D.1000 ms
AnswerD

Default and recommended for stability.

Why this answer

Option B is correct because the default HA2 keepalive timer is 1000 ms (1 second). Option A is wrong because 500 ms is too aggressive. Option C is wrong because 2000 ms may cause delayed failover.

Option D is wrong because the timer is configurable, not automatic.

395
MCQmedium

A company uses SSL Forward Proxy decryption for user traffic. Recently, some users cannot access a specific HTTPS website that uses a self-signed certificate. The firewall's decryption policy is set to 'decrypt' and the action is 'forward proxy'. The firewall does not have the self-signed CA certificate installed. What is the most likely cause of the issue?

A.The firewall cannot decrypt the session because it does not trust the self-signed certificate of the website.
B.The website is not included in the decryption policy's URL category.
C.The firewall's decryption certificate is not trusted by the client browsers.
D.The firewall's forward proxy decryption requires a server certificate that matches the original website.
AnswerA

The firewall must trust the server's certificate to re-sign for the client; without the self-signed CA, it cannot.

Why this answer

In SSL Forward Proxy decryption, the firewall must generate a new server certificate on-the-fly to present to the client. To do this, it needs to trust the original server's certificate so it can validate the server's identity and then re-sign the session. Since the website uses a self-signed certificate and the firewall does not have that CA certificate installed, the firewall cannot validate the server's certificate, causing the decryption to fail and the session to be blocked.

Exam trap

Palo Alto Networks often tests the distinction between the firewall's ability to validate the server certificate (which requires the server's CA to be trusted) versus the client's trust in the firewall's decryption certificate, leading candidates to confuse client-side trust issues with server-side validation failures.

How to eliminate wrong answers

Option B is wrong because the decryption policy's URL category determines which traffic is decrypted, not whether the firewall can validate the server's certificate; if the URL category were the issue, the traffic would simply not be decrypted, not fail with a certificate trust error. Option C is wrong because the client browsers trusting the firewall's decryption certificate is a separate issue that affects browser warnings, not the firewall's ability to decrypt the session; the firewall can still decrypt even if clients don't trust its certificate. Option D is wrong because forward proxy decryption does not require the firewall's certificate to match the original website; the firewall generates a new certificate with the same subject name as the original site, signed by its own CA, which is the standard behavior for forward proxy.

396
Matchingmedium

Match each PAN-OS component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Handles configuration, logging, and reporting

Processes traffic and enforces security policies

Manages routing and session setup

Collects and stores logs for analysis

Centralized management for multiple firewalls

Why these pairings

These are key architectural components in Palo Alto Networks firewalls.

397
MCQhard

A company deploys a Palo Alto Networks firewall in a data center. They have a critical application that uses a proprietary protocol over UDP port 12345. The firewall is not correctly identifying the traffic as the custom App-ID they created. They have verified that the custom App-ID is correctly configured and committed. What is the most likely cause?

A.The firewall must be rebooted for the custom App-ID to take effect.
B.An application override rule has not been configured to associate the traffic with the custom App-ID.
C.The custom App-ID must be enabled in the 'Applications' section of the firewall settings.
D.The firewall cannot identify applications over UDP.
AnswerB

Application override is required to bypass signature-based identification and assign the custom App-ID.

Why this answer

The custom App-ID is correctly configured and committed, but the firewall still does not identify the traffic because App-IDs are based on application signatures and behavioral analysis. For a proprietary protocol over UDP, the firewall may not have a signature to match it, so an application override rule is required to explicitly associate the traffic (based on IP, port, or protocol) with the custom App-ID. Without this override, the firewall will continue to treat the traffic as unknown or attempt to match it against built-in App-IDs.

Exam trap

The trap here is that candidates assume a correctly configured custom App-ID will automatically identify traffic, but they overlook the need for an Application Override rule to explicitly bind the traffic to that App-ID when the firewall cannot match it via signatures.

How to eliminate wrong answers

Option A is wrong because rebooting the firewall is unnecessary; custom App-IDs take effect immediately after commit, not requiring a reboot. Option C is wrong because custom App-IDs are not enabled in a separate 'Applications' section; they are created and applied via Security policy rules or Application Override rules. Option D is wrong because Palo Alto Networks firewalls can identify applications over UDP; App-ID supports both TCP and UDP protocols, and the issue is specifically about the lack of a signature for this proprietary protocol.

398
Drag & Dropmedium

Arrange the steps to configure a new administrator account with role-based access.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Administrator accounts are created with credentials and roles.

399
MCQhard

A firewall is configured with multiple virtual wire interfaces. Traffic passes through but the firewall cannot enforce security policies based on source/destination IP addresses. What is the reason?

A.The virtual wire is not configured with zones
B.The virtual wire requires a VLAN tag
C.The security policy is in layer 3 mode
D.Virtual wire mode does not support IP-based policies
AnswerD

In virtual wire mode, the firewall acts as a transparent bridge and cannot inspect IP addresses for policy matching.

Why this answer

In virtual wire mode, the firewall operates as a transparent Layer 2 bridge, forwarding frames based on MAC addresses without performing any IP routing or inspection of Layer 3 headers. Because the firewall does not see the source or destination IP addresses in the traffic, it cannot enforce security policies that rely on IP-based criteria. Option D correctly identifies that virtual wire mode inherently does not support IP-based policies.

Exam trap

The trap here is that candidates may assume virtual wire mode still allows IP-based policies because the firewall can see IP packets, but they forget that the firewall does not process Layer 3 headers in this mode, making IP-based policy enforcement impossible.

How to eliminate wrong answers

Option A is wrong because virtual wire interfaces are automatically assigned to a zone when the virtual wire is created, and zones are required for policy enforcement, but the issue here is not about zone assignment—it's about the lack of IP visibility. Option B is wrong because virtual wire mode does not require VLAN tags; it can pass untagged traffic, and VLAN tags are optional for segmenting traffic within a virtual wire. Option C is wrong because security policies in Layer 3 mode are used for routed interfaces, not virtual wire interfaces; virtual wire mode operates at Layer 2, and the policy enforcement is based on Layer 2 information, not Layer 3 IP addresses.

400
MCQhard

A company wants to use GlobalProtect with pre-logon (user unknown). After configuration, users report that they can authenticate but cannot access the gateway during pre-logon. Which configuration item is most likely missing?

A.Pre-logon token not enabled on the portal
B.Gateway's certificate not imported or untrusted
C.Pre-logon token not enabled on the gateway
D.Portal's authentication profile does not allow pre-logon
AnswerB

If the gateway's certificate is not trusted, the client will reject the connection during pre-logon.

Why this answer

During pre-logon, the client connects to the gateway using machine credentials. If the gateway certificate is not trusted, the SSL handshake fails, preventing access.

401
Multi-Selectmedium

Which TWO of the following are valid methods to create a custom App-ID on a Palo Alto Networks firewall?

Select 2 answers
A.Right-clicking on a session in the Traffic log and selecting 'Create App-ID'.
B.Using the 'Application Command Center' to automatically generate custom App-IDs.
C.Using the 'set application' command in the CLI.
D.Importing an App-ID definition file from a CSV.
E.Using the 'Objects' > 'Application Filters' menu in the web interface.
AnswersC, E

CLI allows configuration of custom applications.

Why this answer

Option C is correct because the 'set application' CLI command allows you to define a custom App-ID by specifying characteristics such as protocol, port, and signature. This is a direct method to create a custom application object on a Palo Alto Networks firewall, as documented in the administrator's guide.

Exam trap

The trap here is that candidates may confuse 'Create Application Override' (which bypasses App-ID) with 'Create App-ID' (which defines a new application), leading them to select option A, or they may mistakenly think the ACC can generate App-IDs, which it cannot.

402
MCQeasy

A network administrator wants to ensure that all traffic traversing the firewall is correctly identified by App-ID before any security policies are evaluated. Which step is essential?

A.Enable App-ID on the firewall interfaces.
B.Configure security zones properly.
C.Enable Threat Prevention profiles.
D.Ensure App-ID is enabled in the security policy rules.
AnswerD

App-ID is applied per rule; enabling it ensures identification occurs.

Why this answer

Option A is correct: App-ID must be enabled in the security policy rule (or globally) to ensure identification occurs before policy evaluation. Option B is wrong because App-ID does not require enabling on interfaces separately. Option C is wrong because zones define traffic boundaries, not App-ID.

Option D is wrong because threat prevention is unrelated to App-ID.

403
MCQhard

An organization uses SSL Forward Proxy decryption for all web traffic. A user reports intermittent connectivity issues to a SaaS application. The firewall shows no drops or errors. Which of the following is the most likely cause?

A.The firewall and the SaaS server negotiate a TLS version that is incompatible for some connections.
B.The firewall's decryption policy is set to 'no-decrypt' for the application.
C.The firewall's internet link experiences periodic packet loss.
D.The SaaS application's certificate is expired or revoked.
AnswerA

SSL/TLS version mismatch can cause intermittent failures; the firewall may attempt a higher version than the server supports.

Why this answer

Option A is correct because the firewall may negotiate a TLS version or cipher that is not supported by the SaaS server, causing the connection to fail intermittently. Option B is wrong because packet loss on the internet link would affect all traffic and be visible in session metrics. Option C is wrong because it would affect all users.

Option D is wrong because decryption is enabled and the firewall is actively proxying.

404
MCQmedium

Dynamics Inc., a mid-sized company, uses Palo Alto Networks PA-5250 firewalls at their data center. They recently deployed a new web-based CRM application that uses HTTPS and WebSocket connections on TCP port 8443. The security team configured a custom application 'crm-app' with a signature that matches the 'Host' header in HTTP requests, and set the protocol decoder to 'tcp' and the port to 8443. The application is used in a security policy to allow traffic from internal users to the CRM server. However, after deployment, the traffic logs show the application is identified as 'ssl' instead of 'crm-app'. The firewall's App-ID and threat prevention subscriptions are active and up to date. The team has verified that the custom application signature is correctly configured, and the traffic clearly matches the defined host header. Which action should be taken to ensure the CRM traffic is correctly identified by App-ID?

A.Increase the 'timeout' value for the custom application signature from 0 to 60 seconds.
B.Modify the custom application signature to use the 'tcp' protocol decoder and set the port to 8443.
C.Disable SSL decryption for the CRM traffic to allow App-ID to inspect the unencrypted HTTP headers.
D.Create a new security rule with an application override that sets the application to 'crm-app' for the CRM traffic.
AnswerD

An application override forces the firewall to identify the traffic as the specified application, bypassing App-ID's detection. This is a valid approach when App-ID fails to correctly classify traffic despite a properly configured custom signature.

Why this answer

Option B is correct because when App-ID fails to correctly identify traffic despite a properly configured custom application signature, an application override in a security policy can force the identification. This is a supported and common troubleshooting step. Option A is incorrect because disabling SSL decryption would prevent App-ID from inspecting HTTPS headers, making identification less accurate.

Option C is incorrect because the timeout parameter controls how long App-ID waits before updating the application, not the initial identification. Option D is incorrect because the protocol decoder and port are already correctly set per the verification; changing them would not resolve the misclassification.

405
Drag & Dropmedium

Order the steps to configure a security policy allowing HTTP traffic from the inside to the outside zone.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Security policies define traffic flow by zone, application, and service.

406
MCQeasy

A security administrator notices that HTTP traffic is correctly identified as web-browsing but HTTPS traffic is showing as ssl. The company uses a custom HTTPS-based application that needs to be identified by its own App-ID. What should the administrator do?

A.Enable SSL decryption on the firewall.
B.Configure a custom URL category for the application.
C.Create an App-ID override (custom application) for the custom application.
D.Disable App-ID for the traffic.
AnswerC

App-ID overrides allow custom application signatures to match specific traffic patterns.

Why this answer

Option B is correct because creating an App-ID override allows the administrator to define a custom application signature for the traffic, ensuring it is identified as the custom application rather than ssl. Option A is wrong because configuring a custom URL category does not affect App-ID. Option C is wrong because SSL decryption alone does not change the application identity; it only allows inspection.

Option D is wrong because disabling App-ID would bypass application identification entirely.

407
Multi-Selectmedium

Which TWO are required for a GlobalProtect gateway to establish an IPSec tunnel with a remote client?

Select 2 answers
A.Client certificate
B.Security zone for the tunnel interface
C.Tunnel interface
D.GlobalProtect portal configuration
E.IKE gateway configuration
AnswersC, E

The tunnel interface is the endpoint for the VPN traffic.

Why this answer

A tunnel interface is required on the firewall to terminate the IPSec tunnel from the remote GlobalProtect client. The tunnel interface serves as the logical endpoint for the encrypted traffic, allowing the firewall to apply security policies and route decrypted traffic appropriately. Without a tunnel interface, the IPSec security associations cannot be mapped to a virtual interface for traffic processing.

Exam trap

The trap here is that candidates often confuse the GlobalProtect portal configuration as a prerequisite for the IPSec tunnel, but the portal is only needed for client configuration and certificate provisioning, not for the actual tunnel establishment between the gateway and the remote client.

408
MCQmedium

A security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?

A.Create separate virtual systems (VSYS) for each tenant on the same firewall.
B.Deploy multiple VM-Series firewalls as separate instances on the same hypervisor.
C.Use active/active HA mode to assign each tenant to a different firewall.
D.Configure multiple virtual routers (VRFs) within the same virtual system.
AnswerA

VSYS provides complete logical separation of configuration, routing, and policies per tenant.

Why this answer

Virtual systems (VSYS) allow a single Palo Alto Networks firewall to be partitioned into multiple independent logical firewalls, each with its own routing table, security policies, and administrative domains. This enables tenant isolation on a single HA pair without requiring separate hardware or instances, making option A correct for the described requirement.

Exam trap

The trap here is that candidates often confuse virtual routers (VRFs) with full tenant isolation, not realizing that VRFs only separate routing tables, while VSYS provides complete separation of policies, objects, and administration required for multi-tenant environments.

How to eliminate wrong answers

Option B is wrong because deploying multiple VM-Series firewalls as separate instances on the same hypervisor would require separate management and licensing for each instance, defeating the purpose of using a single HA pair and increasing complexity. Option C is wrong because active/active HA mode does not assign tenants to different firewalls; both firewalls in an active/active pair share the same configuration and forward traffic together, so tenant isolation would still require VSYS or other segmentation. Option D is wrong because multiple virtual routers (VRFs) within the same virtual system can separate routing tables but do not isolate security policies, administrative access, or other tenant-specific configurations; VSYS is required for full tenant isolation.

409
MCQeasy

A firewall administrator needs to troubleshoot a connectivity issue where users in the 10.0.1.0/24 subnet cannot reach the internet. The administrator suspects a missing policy. Which tool within the firewall's web interface can be used to test which security policy will be matched for a given traffic flow?

A.Network > Virtual Routers
B.Policy Optimizer > Test Policy Match
C.Monitor > Logs > Traffic
D.Device > Setup > Management
AnswerB

Test Policy Match simulates traffic and returns matching policy.

Why this answer

Option B is correct because the 'Test Policy Match' tool under Policy Optimizer allows an administrator to simulate a specific traffic flow (source/destination IP, port, protocol) and see which security policy rule it matches. This directly addresses the need to verify whether a missing or misconfigured policy is blocking internet access for the 10.0.1.0/24 subnet.

Exam trap

The trap here is that candidates often confuse the 'Test Policy Match' tool with traffic logs (Option C), thinking logs can predict future policy matches, but logs only show past events and cannot simulate a flow that hasn't occurred yet.

How to eliminate wrong answers

Option A is wrong because Virtual Routers manage routing tables and next-hop decisions, not security policy matching; it cannot test which security rule applies to a traffic flow. Option C is wrong because Monitor > Logs > Traffic shows historical logs of already-processed traffic, not a proactive test of policy matching for a hypothetical flow. Option D is wrong because Device > Setup > Management configures administrative settings (e.g., management interfaces, authentication) and has no capability to simulate or test security policy matching.

410
Multi-Selectmedium

Which two are valid methods for collecting User-ID information on a Palo Alto Networks firewall? (Choose two.)

Select 2 answers
A.Syslog parsing
B.Email gateway
C.Active Directory agent
D.SNMP trap
E.Captive portal
AnswersC, E

The AD agent polls domain controllers for user logon events.

Why this answer

Option C is correct because the Active Directory agent is a dedicated software component that integrates with Microsoft Active Directory to map user logon events to IP addresses, providing real-time User-ID information to the firewall. Option E is correct because Captive Portal actively authenticates users via browser-based or agent-based authentication, associating their IP address with a username upon successful login, which is a direct method for collecting User-ID data.

Exam trap

The trap here is that candidates often confuse Syslog parsing or SNMP traps as valid User-ID sources because they are common in other security contexts, but Palo Alto Networks specifically requires authentication-based methods like AD agent, Captive Portal, or XFF headers for User-ID collection.

411
Multi-Selecteasy

Which TWO of the following are supported authentication methods for IPSec VPN tunnel setup between two Palo Alto Networks firewalls?

Select 2 answers
A.Certificate
B.RADIUS
C.SAML
D.LDAP
E.Pre-shared key
AnswersA, E

Certificate authentication is supported for IPSec tunnels.

Why this answer

IPSec tunnel authentication between firewalls supports pre-shared keys and digital certificates.

412
MCQhard

You are deploying a pair of PA-5250 firewalls in active/passive HA mode for a large enterprise. The firewalls are configured with multiple virtual routers (VRs) to segment traffic: VR-A for internal corporate network, VR-B for DMZ, and VR-C for Internet edge. Each VR is associated with a separate Vsys. The HA pair uses IPsec tunnel monitoring to determine failover. The customer reports that after a recent configuration change, failover does not occur when the primary firewall's Internet-facing interface (ethernet1/1) goes down. You verify that the primary firewall detects the interface failure, but the secondary does not take over. The HA configuration shows: 'monitor failure only' set to 'link-status', 'monitor hold time' 1000ms, 'promotion hold time' 2000ms, and 'monitor failure condition' is 'any'. The IPsec tunnel monitoring is configured for tunnel to a remote site. The path monitoring includes the Internet-facing interface under VR-C. What is the most likely reason for the failover failure?

A.The use of multiple virtual routers prevents HA from monitoring interfaces across VRs.
B.The IPsec tunnel monitoring is configured, but it is not a valid HA monitoring method; only path, interface, and route monitoring are supported.
C.The 'monitor hold time' is too short, causing flapping to be ignored.
D.The 'monitor failure only' is set to 'link-status' instead of 'path-monitoring'.
AnswerB

IPsec tunnel monitoring is not an HA monitoring method; the firewall may not consider it for failover decisions.

Why this answer

Option B is correct because IPsec tunnel monitoring is not a supported HA monitoring method on Palo Alto Networks firewalls. The supported methods are path monitoring, interface monitoring, and route monitoring. Since the configuration relies on IPsec tunnel monitoring to trigger failover, the secondary firewall will not take over when the primary's interface goes down, regardless of other settings.

Exam trap

The trap here is that candidates may assume any monitoring feature (like IPsec tunnel monitoring) can be used for HA failover, but Palo Alto Networks explicitly restricts HA monitoring to interface, path, and route monitoring only.

How to eliminate wrong answers

Option A is wrong because multiple virtual routers do not prevent HA from monitoring interfaces across VRs; HA can monitor interfaces in any VR as long as they are configured in the HA monitoring setup. Option C is wrong because a 'monitor hold time' of 1000ms is not too short; it is a standard value, and the issue is not about flapping but about the monitoring method itself. Option D is wrong because setting 'monitor failure only' to 'link-status' is correct for interface-based monitoring; the problem is that IPsec tunnel monitoring is not a valid HA monitoring method, not the failure condition type.

413
Multi-Selecteasy

An organization wants to enforce multi-factor authentication (MFA) for administrative access to the Palo Alto Networks firewall. Which TWO authentication methods are supported for local administrator accounts?

Select 2 answers
A.LDAP authentication
B.SAML IdP authentication
C.One-time password (OTP) via RADIUS
D.Time-based one-time password (TOTP)
E.Client certificate authentication
AnswersC, D

Correct: OTP via RADIUS is a supported MFA method for local admin accounts.

Why this answer

Option C is correct because Palo Alto Networks firewalls support one-time password (OTP) authentication for local administrator accounts via RADIUS, where the RADIUS server generates and validates the OTP. Option D is correct because time-based one-time password (TOTP) is natively supported for local administrator MFA, using RFC 6238 to generate time-synchronized codes that the firewall validates directly without an external server.

Exam trap

The trap here is that candidates often confuse authentication methods that support MFA for local administrator accounts with those used for external user authentication (e.g., SAML or LDAP), mistakenly thinking any external IdP can be applied to local accounts, when in fact only TOTP and RADIUS-based OTP are supported for local admin MFA.

414
Multi-Selecteasy

Which TWO conditions can cause an HA pair to show a state of 'suspended'?

Select 2 answers
A.Software version mismatch between peers
B.HA2 link failure
C.License mismatch between peers
D.Configuration synchronization failure
E.HA1 link failure
AnswersD, E

If config sync fails, firewall may suspend to avoid inconsistency.

Why this answer

Options A and C are correct. A: When HA1 link is down, the pair may go suspended if no alternative keepalive path. C: If the passive firewall cannot sync its configuration, it may enter suspended state.

B is wrong because HA2 failure does not cause suspended; it only affects session sync. D is wrong because version mismatch typically shows 'non-functional' or 'reconnect'. E is wrong because license mismatch does not affect HA state directly.

415
MCQhard

You are a network security engineer at a multinational corporation. The company has a main data center and three branch offices connected via MPLS. The firewall at the data center is a PA-5250 running PAN-OS 10.2. The firewall is configured for SSL Forward Proxy decryption of all outbound HTTPS traffic from internal users to the internet. Recently, users in Branch Office A report that they cannot access several external HTTPS websites, while users at other branches and the data center have no issues. The decryption policy for Branch Office A is identical to the others. You check the decryption statistics and see that for Branch Office A, the number of 'SSL handshake failures' is high. You also notice that the firewall's system log shows errors like 'peer certificate chain validation failure' for sessions from Branch Office A. The firewall has a forward trust certificate issued by an internal CA, and the internal CA certificate is installed on all clients. What is the most likely cause of this issue?

A.The forward trust certificate has expired or is not trusted by the clients in Branch Office A.
B.The decryption profile for Branch Office A is configured with an incorrect cipher suite that is not supported by the external websites.
C.Traffic from Branch Office A is asymmetrically routed, causing the TLS handshake to be incomplete.
D.The decryption policy rule for Branch Office A is missing the 'ssl-decrypt' action.
AnswerC

Asymmetric routing can cause the firewall to see only one side of the TCP handshake, leading to SSL handshake failures.

Why this answer

C is correct because asymmetric routing causes the firewall to see only one side of the TCP handshake, preventing it from completing the TLS handshake. When traffic from Branch Office A takes a different return path (e.g., via another MPLS link or direct internet breakout), the firewall cannot associate the server's SYN-ACK with the original client SYN, leading to SSL handshake failures and 'peer certificate chain validation failure' errors in the logs. The decryption policy and certificates are identical across branches, so the issue is specific to the network path.

Exam trap

The trap here is that candidates often blame certificate trust or decryption profile misconfigurations first, overlooking that asymmetric routing is a common network-layer cause of SSL decryption failures even when all security policies and certificates are correctly configured.

How to eliminate wrong answers

Option A is wrong because the forward trust certificate is issued by an internal CA that is installed on all clients, and the decryption policy is identical across branches; if the certificate were expired or untrusted, all branches would be affected, not just Branch Office A. Option B is wrong because the decryption profile's cipher suite configuration is identical across branches, and cipher mismatch would typically cause 'no shared cipher' errors, not 'peer certificate chain validation failure' or high SSL handshake failures. Option D is wrong because if the decryption policy rule were missing the 'ssl-decrypt' action, the firewall would not attempt decryption at all, and the decryption statistics would show no decrypted sessions or SSL handshake failures for that branch.

416
MCQhard

A firewall is deployed in an Active/Passive HA pair. The administrator notices that the passive firewall is not synchronizing configuration changes. The 'show high-availability state' command shows the passive firewall in a 'non-functional' state. What is the most likely cause?

A.The HA2 link is down but HA1 is up
B.The session sync is disabled
C.The passive firewall has link monitoring enabled
D.The passive firewall is running a different PAN-OS version
AnswerD

Version mismatch causes non-functional state.

Why this answer

The passive firewall showing a 'non-functional' state in an Active/Passive HA pair most likely indicates a version mismatch. PAN-OS requires both firewalls in an HA pair to run the exact same software version for configuration synchronization to work. If the passive firewall is running a different PAN-OS version, it cannot properly interpret or apply the configuration from the active firewall, causing it to enter a non-functional state.

Exam trap

The trap here is that candidates often confuse 'non-functional' with connectivity issues (like a down HA link) or session sync settings, but the key is that configuration sync requires identical PAN-OS versions, and a mismatch manifests as a 'non-functional' state on the passive firewall.

How to eliminate wrong answers

Option A is wrong because if the HA2 link (used for session and configuration synchronization) is down but HA1 (heartbeat link) is up, the passive firewall would typically show a 'suspended' or 'passive' state, not 'non-functional', as HA1 can still detect the peer. Option B is wrong because disabling session sync only affects the synchronization of session tables, not configuration changes; configuration sync is controlled separately and would not cause a 'non-functional' state. Option C is wrong because link monitoring on the passive firewall affects failover decisions (e.g., causing a passive-to-active transition if monitored links fail), but it does not prevent configuration synchronization or cause a 'non-functional' state.

417
MCQmedium

A firewall has two virtual routers: VR1 (for internal networks) and VR2 (for DMZ). An internal server in VR1 needs to reach a DMZ server in VR2. Both virtual routers have routes to each other's subnets via a shared inter-connect. The firewall is receiving traffic but is dropping packets between the virtual routers. What configuration is missing?

A.Redistribution of routes between the virtual routers
B.Enabling packet forwarding on the virtual router interfaces
C.A security policy allowing traffic between the zones associated with the virtual routers
D.A static route on both virtual routers pointing to each other's subnets
AnswerC

Traffic between VRs may involve different zones; without an allow policy, packets are dropped.

Why this answer

In Palo Alto Networks firewalls, virtual routers handle routing decisions independently, but traffic between zones (e.g., internal and DMZ) must be explicitly allowed by a security policy. Even if routes exist between VR1 and VR2, the firewall will drop inter-zone traffic without a policy that permits the session. This is a fundamental security enforcement mechanism that separates routing from access control.

Exam trap

The trap here is that candidates confuse routing (Layer 3) with security policy (Layer 4-7), assuming that if routes exist, traffic will flow, but Palo Alto firewalls enforce zone-based policies independently of routing.

How to eliminate wrong answers

Option A is wrong because route redistribution is not required when static or direct routes already exist between the virtual routers; redistribution is used to share routes dynamically between routing protocols, not to enable packet forwarding. Option B is wrong because packet forwarding is enabled by default on virtual router interfaces in Palo Alto firewalls; there is no separate 'enable forwarding' toggle. Option D is wrong because the question states both virtual routers already have routes to each other's subnets via a shared inter-connect, so adding more static routes would be redundant and not address the packet drop.

418
Multi-Selectmedium

An engineer is configuring App-ID for a network that uses both standard and custom applications. Which of the following are best practices for using App-ID effectively? (Choose three.)

Select 3 answers
A.Rely solely on default application signatures for all traffic identification.
B.Use application filters to create dynamic application groups based on characteristics.
C.Use application groups to simplify policy management for related applications.
D.Disable App-ID for traffic on well-known ports to reduce processing overhead.
E.Regularly update Application and Threats content to keep signatures current.
AnswersB, C, E

Correct: Filters allow grouping by attributes without manual updates.

Why this answer

Using application groups simplifies policy management. Regular updates ensure accurate identification. Application filters allow dynamic grouping based on characteristics.

Relying solely on default signatures may miss custom apps, and disabling App-ID on well-known ports reduces visibility.

419
MCQeasy

A company has deployed two PA-3220 firewalls in an active/passive high availability configuration. During normal operation, the active firewall (FW-A) handles all traffic. The network team notices that after a brief power outage, both firewalls report as active in the HA pair, causing network instability. The administrator needs to resolve this issue and prevent it from recurring. Which course of action should the administrator take?

A.Reboot both firewalls simultaneously to reset the HA state.
B.Disable link speed and duplex settings on the HA interfaces to force a failover.
C.Configure the HA mode with the 'preemptive' option and set the device priority higher on the intended active firewall.
D.Set the HA mode to 'active/active' to allow both firewalls to process traffic.
AnswerC

Preemptive ensures the higher-priority device becomes active after recovery, preventing both firewalls from staying active.

Why this answer

The issue is likely caused by both firewalls becoming active after the power outage due to lack of preemptive behavior. Configuring the 'preemptive' option and setting FW-A with higher device priority ensures it reclaims the active role when both are healthy, preventing split-state.

420
MCQmedium

A user reports that they cannot access a specific website. Traffic matches a security policy rule that allows the application 'web-browsing' but the session is being dropped. Which of the following is the most likely cause?

A.The security policy rule does not have logging enabled at session end.
B.SSL decryption is enabled but the website certificate is untrusted.
C.A DoS protection profile is configured on the zone and is rate-limiting the user's IP.
D.A URL Filtering profile is applied to the rule and is blocking the website's URL category.
AnswerD

URL Filtering profiles can override application-level allowances by blocking specific URL categories, causing the session to be dropped.

Why this answer

Option C is correct because if the URL Filtering profile is set to block the requested URL, the session will be dropped even if the application is allowed. Option A is wrong because SSL decryption would not cause a drop for web-browsing unless the certificate is untrusted. Option B is wrong because a lack of logging does not affect session forwarding.

Option D is wrong because a DoS protection profile typically drops excessive sessions, not individual user access.

421
MCQmedium

A financial trading firm has a low-latency network. The firewall administrator notices that some trading application traffic is being dropped sporadically. The security policy allows the application 'trading-app' over default port 5000. The logs show the application is identified correctly as 'trading-app', but the action is deny. The administrator checks the security policy and finds that there is a prior rule that denies all traffic with application 'unknown-tcp'. What could be causing the trading application traffic to match the deny rule?

A.The application 'trading-app' is not fully recognized for some sessions, causing fallback to 'unknown-tcp'.
B.The application is identified as both 'trading-app' and 'unknown-tcp' due to a software bug.
C.The traffic is using a non-standard port, so the standard rule does not match.
D.There is a decryption policy causing the application to be misidentified.
AnswerA

Inconsistent identification can occur if the application signature does not match all variations of the traffic.

Why this answer

Option C is correct: App-ID may correctly identify most sessions as 'trading-app', but if some sessions have slightly different characteristics (e.g., variations in the protocol), the firewall may fail to identify them and fall back to 'unknown-tcp'. The prior deny rule then blocks those sessions. Option A is wrong because App-ID does not assign multiple identities to the same session.

Option B is wrong because the traffic uses the default port. Option D is wrong because no decryption policy is mentioned.

422
MCQhard

A security administrator notices that users are able to bypass authentication by accessing resources using IP addresses instead of FQDNs, even though authentication policies are configured. How can this be prevented?

A.Create a decryption policy to decrypt all traffic.
B.Use identity-based routing to enforce authentication.
C.Enable user-ID on the ingress interface and configure authentication policy for IP addresses.
D.Configure an authentication policy with source user 'unknown' to enforce authentication for all unmapped IP addresses.
AnswerD

By default, authentication policies match on source user 'any', so if a user mapping exists, the policy applies. Setting source user to 'unknown' ensures that traffic from IPs without a user mapping triggers authentication.

Why this answer

Authentication policies match based on source zone, destination zone, and application. Using IP addresses does not bypass authentication if the application is correctly identified. However, if the destination IP is not covered by the authentication policy, users may slip through.

Option D is correct: create a rule to enforce authentication for unmapped users.

423
Multi-Selecthard

Which THREE statements are true regarding SSL Forward Proxy decryption on Palo Alto Networks firewalls?

Select 3 answers
A.SSL Forward Proxy decryption can only be applied to traffic destined for TCP port 443.
B.Decryption policy rules can match on source zone, source user, destination IP, URL category, and service.
C.The firewall must generate a certificate on-the-fly signed by a trusted CA for each decrypted session.
D.An 'ssl-decrypt' action in a decryption rule requires that the associated decryption profile includes a certificate for the firewall to use.
E.The firewall can inspect the Server Name Indication (SNI) field in the ClientHello to determine the destination hostname.
AnswersB, C, E

These are common match criteria for decryption policy rules.

Why this answer

Option B is correct because Palo Alto Networks decryption policy rules can match on a wide range of criteria including source zone, source user, destination IP, URL category, and service. This granularity allows administrators to selectively decrypt traffic based on business needs and security policies, not just basic IP/port matching.

Exam trap

The trap here is that candidates assume SSL Forward Proxy decryption is limited to port 443, but Palo Alto firewalls can decrypt SSL/TLS on any TCP port by inspecting the handshake, and they also mistakenly think the decryption profile must contain a certificate for the firewall, when in fact the CA certificate is configured separately and the firewall generates session-specific certificates automatically.

424
MCQmedium

A security engineer notices that traffic from a trusted internal application is being blocked by the firewall. The application communicates using a proprietary protocol over TCP port 8443. The engineer has already created a custom App-ID for this application but the traffic is still being blocked. What is the most likely reason?

A.The custom App-ID must be added to a security profile group.
B.The custom App-ID needs a vulnerability profile to be activated.
C.The security policy rule uses the destination port instead of App-ID.
D.An application override rule must be configured to associate the custom App-ID with the traffic.
AnswerD

Application override is necessary to bypass signature-based identification and assign the custom App-ID.

Why this answer

Option D is correct because when a custom App-ID is created for a proprietary protocol, the firewall cannot automatically identify the application by inspecting the traffic. An application override rule is required to explicitly map the traffic (based on IP, port, or other criteria) to the custom App-ID, bypassing the firewall's default App-ID identification process. Without this override, the firewall continues to apply its default classification, which may block the traffic if it doesn't match any known application.

Exam trap

The trap here is that candidates assume creating a custom App-ID is sufficient for the firewall to automatically identify the traffic, but they overlook the mandatory step of configuring an application override rule to bind the custom App-ID to the specific traffic flows.

How to eliminate wrong answers

Option A is wrong because a security profile group (which includes vulnerability, anti-virus, and other profiles) is not required for App-ID to function; it is an optional grouping for policy enforcement. Option B is wrong because a vulnerability profile is unrelated to App-ID identification; it is used for threat prevention after traffic is allowed. Option C is wrong because the security policy rule can use App-ID as a match criterion regardless of the destination port; the issue is that the custom App-ID is not being applied to the traffic, not that the rule is misconfigured to use port instead.

425
MCQhard

Two firewalls in an active/passive HA pair are not synchronizing. The administrator checks 'show high-availability state' and sees 'active' on both firewalls. What is the most likely cause?

A.The HA3 control link is misconfigured or down.
B.Session owner is set to 'primary' on both firewalls.
C.Preemptive mode is enabled on both firewalls.
D.Both firewalls have different PAN-OS versions.
AnswerA

Without heartbeat, each firewall assumes the other is down and becomes active.

Why this answer

When both firewalls show 'active' in the HA state, it indicates a split-brain scenario where each firewall believes it is the active unit. The HA3 control link is responsible for heartbeat and state synchronization; if it is misconfigured or down, the firewalls cannot detect each other's presence, causing both to assume active status. This is the most common cause of dual-active HA failures.

Exam trap

The trap here is that candidates often assume both firewalls showing 'active' is caused by a configuration mismatch like PAN-OS versions or preemptive settings, but the core issue is the loss of the HA3 control link, which prevents heartbeat detection and triggers a split-brain condition.

How to eliminate wrong answers

Option B is wrong because 'session owner' is a session distribution setting for active/active HA, not active/passive, and setting it to 'primary' on both does not cause both to show active; it affects session ownership, not HA state. Option C is wrong because preemptive mode controls whether a previously active firewall reclaims active status after a failure recovery; it does not cause both to become active simultaneously. Option D is wrong because different PAN-OS versions prevent HA formation entirely (the pair will not synchronize or form a HA group), but the state would show 'non-functional' or 'not synchronized', not 'active' on both.

426
MCQhard

A company has a Palo Alto Networks firewall in a high-availability active/passive setup. After a failover event, the new active firewall is not correctly identifying some custom applications. The custom application objects and signatures are synchronized via Panorama. What is the most likely cause?

A.The application override rules are not synchronized.
B.The security policy rules referencing the custom applications are not present.
C.The custom application objects were created locally on the previous active firewall and not pushed from Panorama.
D.The custom application signatures are not committed on the new active firewall.
AnswerC

Correct: Local objects are not shared via Panorama, so they would be missing on the new active firewall.

Why this answer

If custom applications were created locally on the previous active firewall, they would not be present on the new active. Panorama push should include them, but if they were local, they would be missing.

427
MCQhard

A large organization has a PA-5250 firewall pair in active/passive HA mode. The firewalls are managed by Panorama. The security team recently created a new security policy rule to block a specific application (app-block-rule) and pushed the configuration from Panorama. After the push, the active firewall shows the new rule in the security policy list, but traffic matching the rule is not being blocked. The administrator checks the traffic logs and sees that the traffic is being allowed by a different rule with a higher priority. The administrator also notices that the 'app-block-rule' has an 'any' source and destination zone, but the allowed rule has specific zones. The administrator runs 'show session info' and sees that the sessions are being created before the policy push. The administrator wants to ensure that existing sessions are subject to the new policy. Which action should the administrator take?

A.Disable session re-aging on the firewall
B.Commit the configuration on the active firewall
C.Move the new rule to the top of the security policy
D.Enable session re-aging and set a short timeout for the application
AnswerD

Session re-aging forces new policy check on existing sessions.

Why this answer

Option D is correct because session re-aging forces the firewall to re-evaluate existing sessions against the current security policy. When a new policy is pushed, sessions established before the push continue to match the old policy until they expire. By enabling session re-aging and setting a short timeout, the firewall will age out those sessions sooner, causing them to be re-matched against the new 'app-block-rule' and thus be blocked.

Exam trap

The trap here is that candidates think moving the rule to the top of the policy (Option C) will fix the issue, but they overlook that existing sessions are not re-evaluated after a policy change unless session re-aging is enabled.

How to eliminate wrong answers

Option A is wrong because disabling session re-aging would prevent existing sessions from being re-evaluated, making the problem worse. Option B is wrong because the configuration was already pushed from Panorama and committed; the active firewall shows the rule, so a local commit is unnecessary and does not affect existing sessions. Option C is wrong because moving the rule to the top of the policy does not impact sessions that were created before the push; those sessions continue to use the old policy match until they expire or are aged out.

428
Drag & Dropmedium

Order the steps to configure a static route on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes are defined per virtual router with destination and next-hop.

429
MCQhard

A managed security service provider (MSSP) manages firewalls for multiple customers. One customer reports that their ERP application traffic is being dropped intermittently. The firewall logs show that the traffic is sometimes identified as 'erp-app' and allowed, and other times identified as 'unknown-tcp' and denied. The ERP application uses a proprietary protocol over TCP port 5555. The firewall has a custom application definition for 'erp-app' that uses a data pattern. The administrator verifies that the data pattern is correct. What should the administrator do to ensure consistent identification?

A.Increase the session timeout for the application.
B.Create a vulnerability protection profile to inspect the traffic.
C.Enable SSL decryption on the firewall.
D.Modify the custom application to include a port condition (default port 5555).
AnswerD

This provides a reliable port-based fallback when the data pattern is not seen.

Why this answer

Option D is correct: Adding a port condition to the custom application definition (e.g., setting the default port to 5555) provides a fallback identification mechanism when the data pattern is not detected in a session. This ensures that traffic on port 5555 is consistently identified as 'erp-app'. Option A is wrong because increasing session timeout does not affect identification.

Option B is wrong because the protocol is proprietary, not SSL. Option C is wrong because vulnerability protection is for threat prevention, not identification.

430
MCQhard

An organization has a firewall in HA active-passive mode. After a failover, the new active firewall does not have the latest session table. What should be configured to ensure session synchronization?

A.Packet capture on active
B.Session setup on both peers
C.HA session sync
D.Commit force sync
AnswerC

This feature synchronizes active sessions to the passive firewall.

Why this answer

Option C is correct because HA session synchronization (session sync) is the feature that replicates active session state from the active firewall to the passive firewall in an active-passive HA pair. Without this configuration, after a failover the new active firewall has no knowledge of existing sessions, causing all active connections to be dropped and requiring clients to re-establish them. Enabling session sync ensures the passive firewall maintains a synchronized session table, allowing seamless traffic continuation after failover.

Exam trap

The trap here is that candidates often confuse configuration synchronization (commit force sync) with runtime state synchronization (session sync), leading them to select Option D, but commit force sync only pushes configuration changes, not dynamic session data.

How to eliminate wrong answers

Option A is wrong because packet capture is a troubleshooting tool used to inspect traffic, not a mechanism to replicate session state between HA peers. Option B is wrong because session setup on both peers is not a configurable feature; session creation occurs naturally on the active firewall, and without session sync the passive peer does not receive those sessions. Option D is wrong because commit force sync is used to force a configuration synchronization from the active to the passive firewall, but it does not synchronize dynamic runtime data like session tables.

431
MCQmedium

After upgrading a PA-5250, the firewall is not passing traffic. The administrator checks the dataplane CPU utilization and sees it is at 100%. Which command should be run to identify the cause?

A.show session all
B.show system resources dataplane
C.show counter global
D.show running resource-monitor
AnswerB

This command displays dataplane CPU and memory, helping identify the bottleneck.

Why this answer

The correct answer is B because 'show system resources dataplane' provides detailed dataplane CPU and memory usage.

432
MCQeasy

A company has a firewall with multiple virtual routers. They need to ensure that traffic from a specific subnet (10.1.1.0/24) can reach the internet but not other internal subnets. What is the best way to achieve this?

A.Use NAT policies
B.Configure static routes in the virtual router
C.Implement security policies with source zone and destination zone
D.Configure path monitoring
AnswerC

Security policies allow or deny traffic based on zones. By placing the subnet in a separate zone and creating policies, you can control access.

Why this answer

Option C is correct because security policies in Palo Alto Networks firewalls control traffic based on source and destination zones, enabling you to restrict traffic from the 10.1.1.0/24 subnet (assigned to a specific zone) to only the internet zone while blocking access to other internal subnets. This is achieved by creating a security policy that allows traffic from the source zone (e.g., 'Internal') to the destination zone (e.g., 'Internet') and explicitly denying traffic to other internal zones, without relying on routing or NAT.

Exam trap

The trap here is that candidates often confuse routing (static routes) with security policies, assuming that controlling the path via routes can restrict access, but in Palo Alto firewalls, access control is enforced by security policies, not routing tables.

How to eliminate wrong answers

Option A is wrong because NAT policies only translate IP addresses and do not control access between subnets; they cannot prevent traffic from reaching internal subnets. Option B is wrong because static routes determine the path for traffic but do not enforce access control; they would allow traffic to any reachable destination, including internal subnets. Option D is wrong because path monitoring is used for link failure detection and failover, not for restricting traffic between subnets.

433
MCQhard

Refer to the exhibit. A user at IP 10.10.1.11 is unable to access internal resources that require authentication. The firewall logs show 'no user mapping' for traffic from this IP. Which step should the administrator take first?

A.Configure an authentication policy to trigger captive portal for that IP.
B.Verify that the User-ID agent has network access to the client at 10.10.1.11.
C.Check the Kerberos keytab file.
D.Manually create a static mapping for IP 10.10.1.11.
AnswerB

If the User-ID agent cannot communicate with the client or domain controller, no mapping is created.

Why this answer

The source is unknown, indicating no user mapping for that IP. The first step is to verify that the User-ID agent can reach the client to map the user. Option A is correct.

434
MCQhard

A company has a PA-3260 firewall configured with multiple virtual routers for segmentation. A new subnet 192.168.30.0/24 is added behind a layer3 interface that is part of virtual router 'VR-A'. The administrator adds a static route on the firewall to reach the subnet via next-hop 10.0.0.1. However, hosts in another virtual router 'VR-B' cannot reach the new subnet. The route is present in VR-A's routing table. What should the administrator do to resolve the issue?

A.Create a security policy rule allowing the traffic between the zones.
B.Add a static route in VR-B pointing to the new subnet with next-hop as the interface IP of VR-A's interface.
C.Configure route redistribution between VR-A and VR-B using a routing protocol.
D.Place all interfaces in the same virtual router.
AnswerB

This gives VR-B the necessary routing information to reach the subnet via VR-A.

Why this answer

Virtual routers in Palo Alto Networks firewalls are isolated routing tables. A route in VR-A is not visible to VR-B unless explicitly shared. Adding a static route in VR-B with the next-hop pointing to the interface IP of VR-A's interface (the gateway between the two virtual routers) allows VR-B to forward traffic for 192.168.30.0/24 to VR-A, which then routes it to the correct subnet.

This is the standard method for inter-virtual-router routing without dynamic redistribution.

Exam trap

The trap here is that candidates often assume security policies are the only barrier between virtual routers, forgetting that virtual routers are isolated routing domains and a route must exist in the source virtual router's table before any policy can be applied.

How to eliminate wrong answers

Option A is wrong because security policy rules control traffic flow between zones but do not affect routing; without a route in VR-B, traffic will be dropped by the firewall's routing lookup before any security policy is evaluated. Option C is wrong because route redistribution requires a routing protocol (e.g., OSPF, BGP) to be configured on both virtual routers, which is unnecessary overhead when a simple static route achieves the same result without protocol convergence delays. Option D is wrong because placing all interfaces in the same virtual router defeats the purpose of segmentation and would merge the routing tables, potentially causing routing conflicts and breaking the isolation that virtual routers provide.

435
MCQeasy

A small business uses a single PA-220 firewall with PAN-OS 10.2. The administrator notices that the firewall is no longer receiving automatic threat updates. The License page shows the Threat Prevention license is active with 200 days remaining. The administrator can manually download updates from the Palo Alto Networks update server. What is the most likely cause?

A.The firewall is behind a proxy that blocks the update service.
B.The update schedule is disabled.
C.The firewall's system clock is incorrect.
D.The DNS settings are misconfigured.
AnswerB

If the schedule is disabled, automatic updates will not occur, but manual downloads are still possible.

Why this answer

The most likely cause is that the update schedule is disabled. Even though the Threat Prevention license is active and manual downloads work, the firewall will not automatically check for or download updates if the scheduled update feature is turned off. In PAN-OS 10.2, the administrator must configure a recurring schedule under Device > Dynamic Updates for automatic updates to occur; otherwise, only manual downloads are possible.

Exam trap

The trap here is that candidates assume a valid license guarantees automatic updates, overlooking that the update schedule is a separate configuration setting that must be explicitly enabled.

How to eliminate wrong answers

Option A is wrong because if a proxy were blocking the update service, manual downloads would also fail, as they use the same outbound HTTPS connection to the Palo Alto Networks update server. Option C is wrong because an incorrect system clock would cause SSL certificate validation failures and prevent both automatic and manual updates, but the administrator can manually download updates successfully. Option D is wrong because misconfigured DNS would prevent resolution of the update server's FQDN, breaking both automatic and manual updates, yet manual downloads work.

436
MCQhard

An organization is deploying a pair of PA-5250 firewalls in active/passive high availability. The network team notices that the passive firewall is not receiving synchronization updates. Both devices have the same software version and licenses. The HA1 control link is connected and shows 'up' in 'show high-availability state'. What is the most likely reason for the synchronization failure?

A.The HA2 link is not configured or is down.
B.The HA1 link is using a crossover cable instead of a straight-through cable.
C.The link speeds on the active and passive firewalls do not match.
D.The passive firewall is not in a 'passive' state.
AnswerA

Session synchronization requires HA2 link to be configured and operational.

Why this answer

The HA2 link is used for session synchronization in active/passive HA configurations. Even if the HA1 control link is up and passing heartbeats, without a functioning HA2 link, the passive firewall will not receive session state updates. The 'show high-availability state' command only confirms HA1 status, not HA2.

Exam trap

The trap here is that candidates assume a working HA1 control link implies full HA functionality, but the HA2 link is a separate requirement for session synchronization in active/passive mode.

How to eliminate wrong answers

Option B is wrong because the HA1 link uses a crossover cable for direct connections between firewalls (no switch), and a straight-through cable would be incorrect; this would cause the link to fail, but the question states the HA1 link is 'up'. Option C is wrong because mismatched link speeds on HA interfaces can cause errors or flapping, but the HA1 link is already up, and speed mismatch does not prevent synchronization specifically—it would affect the link state. Option D is wrong because if the passive firewall were not in a 'passive' state, the HA pair would not form, and the active firewall would not attempt to send synchronization updates; the question implies the pair is formed since HA1 is up.

437
MCQhard

A network engineer is troubleshooting an authentication issue where users in a specific group are not being prompted for credentials, even though the authentication policy matches their traffic. The firewall logs show that the traffic is allowed by the security policy. What is the most likely cause?

A.The users are in a group that is excluded from authentication in the authentication profile.
B.The captive portal is not enabled on the interface.
C.The user-ID agent is not configured to include that group.
D.The authentication policy is placed after the security rule that allows the traffic.
AnswerD

If the security rule allowing the traffic is evaluated before the authentication rule, the traffic is allowed without authentication.

Why this answer

Authentication policies are evaluated before security rules. If the authentication policy is placed after the security rule that allows the traffic, the authentication rule is never reached. Option B is correct.

438
Multi-Selectmedium

Which TWO statements correctly describe the role of the data plane in PAN-OS architecture?

Select 2 answers
A.It performs content inspection.
B.It runs routing protocols like OSPF.
C.It handles all packet forwarding and security processing.
D.It stores log files.
E.It manages the web interface and CLI.
AnswersA, C

Content inspection (e.g., threat prevention) is performed by the data plane.

Why this answer

Option A is correct because the data plane performs content inspection, including threat prevention, URL filtering, and application identification, using the single-pass software architecture to scan traffic in real time. This is a core function of the data plane, separate from the control and management planes.

Exam trap

The trap here is confusing the data plane with the control plane or management plane, as candidates often assume that routing protocols or logging are part of packet forwarding, when in PAN-OS they are strictly separated.

439
MCQeasy

A company uses Policy-Based Forwarding (PBF) to route specific traffic from internal users to a partner network through an MPLS connection. The PBF rule is configured to match source addresses 10.1.1.0/24 and forward to a next-hop of 10.2.1.1. The administrator verifies that the MPLS router is reachable from the firewall. Traffic from the 10.1.1.0/24 network does not go through the MPLS link; instead, it takes the default route out the internet connection. Logs show that the traffic hits the PBF rule. What is the most likely issue?

A.The PBF rule is missing the egress interface configuration; it only specifies the next-hop IP.
B.The PBF rule's source zone is misconfigured.
C.The firewall's routing table does not have a route to the partner network via the MPLS router.
D.The PBF rule does not include a security policy to allow the traffic.
AnswerA

PBF requires the next-hop and interface; if only IP is set, the firewall may not know which interface to use, defaulting to routing table.

Why this answer

Option A is correct because a PBF rule in PAN-OS requires both a next-hop IP and an egress interface to be explicitly configured. Without the egress interface, the firewall cannot determine which physical or logical interface to use for forwarding the matched traffic, so it falls back to the default route. Even though the traffic hits the PBF rule, the missing interface configuration prevents the policy-based forwarding from taking effect.

Exam trap

The trap here is that candidates assume specifying only the next-hop IP is sufficient for PBF, similar to a static route, but PAN-OS requires both the next-hop and the egress interface for policy-based forwarding to function correctly.

How to eliminate wrong answers

Option B is wrong because the logs confirm that the traffic hits the PBF rule, which means the source zone matching is already working correctly; a misconfigured source zone would prevent the rule from being matched at all. Option C is wrong because PBF overrides the routing table for matched traffic; the firewall does not need a separate route to the partner network via the MPLS router—the PBF rule itself provides the forwarding decision. Option D is wrong because security policies are evaluated after PBF; if the traffic hits the PBF rule, it has already passed the security policy check, so a missing security policy would block the traffic entirely, not cause it to take the default route.

440
MCQmedium

An organization wants to map user identity from Active Directory for traffic coming from internal LAN users without installing any agent on domain controllers. Which User-ID mapping method should be used?

A.Active Directory polling
B.XML API
C.Terminal Services Agent
D.Captive Portal
AnswerA

Active Directory polling retrieves user-IP mappings from domain controller logs.

Why this answer

Active Directory polling is the correct method because it allows the Palo Alto Networks firewall to retrieve user-to-IP mappings directly from Active Directory domain controllers using LDAP queries, without requiring any agent installation. This method polls the security event logs on domain controllers to map authenticated users to their IP addresses, making it ideal for environments where agentless user identification is desired for internal LAN traffic.

Exam trap

The trap here is that candidates often confuse Terminal Services Agent with a general agentless solution, but it is actually a specialized agent for multi-user environments, not a method for mapping standard LAN users without installing software.

How to eliminate wrong answers

Option B (XML API) is wrong because the XML API is used for programmatic configuration and data retrieval from the firewall, not for real-time user mapping from Active Directory. Option C (Terminal Services Agent) is wrong because it is specifically designed to map users in Terminal Services or Citrix environments where multiple users share a single IP address, not for general LAN user mapping without an agent. Option D (Captive Portal) is wrong because it requires end-user interaction via a web browser to authenticate, which is not suitable for transparently mapping existing Active Directory users without installing an agent.

441
MCQeasy

An administrator needs to verify the health of HA links. Which CLI command displays the current status of HA1, HA2, and HA3 links?

A.show session info
B.show running np-ips
C.show device-info
D.show high-availability state
AnswerD

Displays HA status including link states.

Why this answer

Option D is correct because 'show high-availability state' displays HA link statuses. Option A is wrong because 'show device-info' does not show HA links. Option B is wrong because 'show running np-ips' shows management plane info.

Option C is wrong because 'show session info' shows sessions.

442
Multi-Selecthard

Which THREE are valid methods for configuring a site-to-site VPN on a Palo Alto Networks firewall?

Select 3 answers
A.Policy-based VPN using a tunnel monitor
B.GlobalProtect Gateway configuration
C.Route-based VPN using a virtual router and static route
D.SSL VPN using GlobalProtect portal
E.Tunnel interface with IPSec tunnel configuration
AnswersA, C, E

Policy-based VPN uses security policies to define interesting traffic.

Why this answer

Option A is correct because a policy-based VPN on Palo Alto Networks uses a tunnel monitor to verify the health of the IPSec tunnel by sending ICMP probes to the peer's tunnel IP address. This allows the firewall to detect tunnel failures and trigger failover or route changes, which is a standard method for site-to-site VPN configuration.

Exam trap

The trap here is that candidates confuse remote access VPN methods (GlobalProtect Gateway and Portal) with site-to-site VPN methods, leading them to select options B or D, which are exclusively for client-to-site connectivity.

443
MCQmedium

An administrator reviews a traffic log entry: 'Source: 10.0.0.10, Destination: 8.8.8.8, Application: web-browsing, Action: allow, Bytes Sent: 500, Bytes Received: 1200'. What does this log entry indicate about the traffic?

A.The traffic was blocked by a security policy.
B.The traffic was only one-way; only received bytes were logged.
C.The traffic was allowed and identified as web-browsing.
D.The application was incorrectly identified.
AnswerC

The log confirms both the action and the application.

Why this answer

The log entry shows 'Action: allow', which explicitly indicates the firewall permitted the traffic. The 'Application: web-browsing' field confirms that the Palo Alto Networks firewall correctly identified the traffic as HTTP/HTTPS (web-browsing) using App-ID, not just by port. The presence of both 'Bytes Sent' and 'Bytes Received' with non-zero values confirms bidirectional communication, so the traffic was allowed and properly classified.

Exam trap

The trap here is that candidates may assume traffic to 8.8.8.8 is always DNS and thus think the application was misidentified, but the log explicitly shows 'web-browsing' which is valid for HTTP/HTTPS traffic to any IP, and the 'allow' action confirms the firewall permitted it.

How to eliminate wrong answers

Option A is wrong because the 'Action: allow' field directly contradicts blocking; a blocked session would show 'Action: deny' or 'drop'. Option B is wrong because both 'Bytes Sent: 500' and 'Bytes Received: 1200' are non-zero, proving bidirectional traffic, not one-way. Option D is wrong because the application 'web-browsing' is a standard App-ID for HTTP/HTTPS traffic to a public DNS server (8.8.8.8), and there is no evidence of misidentification; App-ID uses deep packet inspection to verify the application regardless of port.

444
Multi-Selectmedium

Which TWO factors can cause traffic to be classified as 'incomplete' by App-ID? (Choose two.)

Select 2 answers
A.SSL decryption is not enabled for the session.
B.The firewall CPU is too slow to process packets.
C.The content-ID engine has not been licensed.
D.Asymmetric routing where the firewall sees only one direction of traffic.
E.A deny rule that blocks the traffic.
AnswersA, D

Encrypted payload cannot be inspected for application identification.

Why this answer

Options A and D are correct. Option A: Asymmetric routing can cause incomplete because the firewall may only see half the session. Option D: SSL decryption not enabled for encrypted traffic prevents full inspection of the payload.

Option B is wrong because policy configuration does not affect classification. Option C is wrong because slow processing does not cause incomplete; it may cause packet drops but not incomplete. Option E is wrong because content-ID is separate and not directly causing incomplete.

445
Multi-Selecteasy

Which TWO are valid methods to troubleshoot a firewall not passing traffic? (Choose two.)

Select 2 answers
A.Reboot the firewall
B.Change the interface IP address
C.Verify the security policy order
D.Check the session table for the traffic
E.Update the threat prevention signature
AnswersC, D

Misplaced rules can cause traffic to be denied or not matched.

Why this answer

Checking session table and verifying security policy rules are both direct troubleshooting steps.

446
Multi-Selecteasy

Which TWO are best practices when configuring App-ID for a production environment? (Choose two.)

Select 2 answers
A.Disable App-ID for traffic that does not match any known application to improve performance.
B.Configure all security policies based on port only for consistency.
C.Use applications instead of ports in security policies.
D.Enable security profiles (e.g., vulnerability protection) along with App-ID.
E.Limit application usage to only well-known applications to reduce attack surface.
AnswersC, D

App-ID provides application-level control.

Why this answer

Options A and C are correct. Option A: Using application-based policy improves security and flexibility. Option C: Combining App-ID with other security profiles (e.g., content-ID) enables comprehensive inspection.

Option B is wrong because disabling App-ID for all traffic defeats the purpose. Option D is wrong because relying solely on ports is not recommended. Option E is wrong because using only well-known applications reduces visibility.

447
MCQhard

An administrator runs the commands and sees the output. The session shows an SSL application from trust to untrust. However, the traffic is actually a custom application over TCP 44321 that the firewall incorrectly identifies as SSL. Which configuration step will most accurately identify the custom application?

A.Disable SSL inspection on the security policy for this traffic.
B.Create an application override policy for this traffic to mark it as the custom application.
C.Enable SSL decryption on the traffic to inspect the payload.
D.Define a custom application object with the correct protocol signature and protocol type.
AnswerD

A custom application object allows the firewall to accurately identify the traffic based on its actual protocol characteristics.

Why this answer

Option D is correct because the firewall is misidentifying the custom application as SSL due to the use of TCP port 44321, which falls within the default SSL port range. By defining a custom application object with the correct protocol signature (e.g., a protocol decoder or pattern match) and specifying the protocol type (e.g., TCP), the firewall can accurately classify the traffic based on actual payload characteristics rather than relying on port-based heuristics.

Exam trap

The trap here is that candidates often confuse application override (which forces classification) with custom application definition (which teaches the firewall to correctly identify the traffic), leading them to choose Option B instead of D.

How to eliminate wrong answers

Option A is wrong because disabling SSL inspection does not change how the firewall identifies the application; it only prevents decryption, leaving the misclassification intact. Option B is wrong because an application override policy forces the firewall to treat the traffic as the custom application regardless of the actual payload, which bypasses proper identification and can lead to security policy misapplication; it does not teach the firewall to correctly identify the application. Option C is wrong because enabling SSL decryption would attempt to decrypt traffic that is not actually SSL (since it is a custom application over TCP 44321), causing decryption failures and potential session drops, and it does not correct the underlying application identification.

448
MCQhard

A firewall's dataplane CPU is consistently at 95% utilization even though session count is normal. Analysis shows that a large number of small packets are being processed. Which feature could be causing excessive dataplane processing?

A.Log forwarding to Panorama
B.User-ID agent polling
C.Fragmented packet reassembly
D.SSL Decryption with Forward Proxy
AnswerC

Reassembling many small fragmented packets consumes significant dataplane CPU.

Why this answer

Fragmented packet reassembly forces the dataplane to buffer and reassemble IP fragments before performing security policy checks. This process is CPU-intensive, especially when handling a high volume of small fragments, and can drive dataplane utilization to 95% even when the session count is normal. The firewall must allocate resources to track and reassemble each fragmented datagram, which explains the excessive processing.

Exam trap

The trap here is that candidates often associate high dataplane CPU with SSL decryption or logging, but the key clue is 'large number of small packets' — a classic indicator of fragmentation-related processing overhead, not encryption or management tasks.

How to eliminate wrong answers

Option A is wrong because log forwarding to Panorama is a management-plane task that does not consume dataplane CPU cycles; it uses the management plane or a dedicated logging interface. Option B is wrong because User-ID agent polling is a control-plane function that collects user mappings from domain controllers and does not directly affect dataplane packet processing. Option D is wrong because SSL Decryption with Forward Proxy, while CPU-intensive, typically manifests as high utilization during TLS handshake and decryption of large payloads, not from processing a large number of small packets; the symptom of small packets points to fragmentation, not SSL.

449
Matchingmedium

Match each log type to its content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Records session start, end, and bytes transferred

Logs blocked malware, exploits, or spyware

Logs web requests and category matches

Tracks files sent for cloud analysis

Records administrative actions and system events

Why these pairings

These log types are available in Palo Alto Networks firewalls.

450
Multi-Selecteasy

Which TWO commands can be used to check the status of an IPSec tunnel on a Palo Alto Networks firewall?

Select 2 answers
A.show system info
B.show vpn ike-sa
C.show routing route
D.show vpn ipsec-sa
E.show interface all
AnswersB, D

This shows the IKE security associations.

Why this answer

Option B is correct because 'show vpn ike-sa' displays the status of IKE Phase 1 security associations, which are essential for establishing the control channel of an IPSec tunnel. Option D is correct because 'show vpn ipsec-sa' shows the status of IKE Phase 2 security associations, which represent the actual data-plane IPSec tunnel. Both commands are used together to verify the full lifecycle of an IPSec VPN tunnel on Palo Alto Networks firewalls.

Exam trap

The trap here is that candidates often confuse general network commands (like routing or interface status) with VPN-specific commands, assuming that a working route or interface implies a functional IPSec tunnel, when in fact the tunnel may be down due to IKE or IPSec SA failures.

Page 5

Page 6 of 7

Page 7

All pages