Palo Alto Networks Certified Network Security Engineer PCNSE (PCNSE) — Questions 451516

516 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQeasy

A network administrator notices that web-browsing traffic is being classified as 'incomplete' in the App-ID table. What is the most likely cause?

A.The App-ID signature database is outdated.
B.The security policy does not have an allow rule for web-browsing.
C.The firewall is experiencing asymmetric routing.
D.SSL decryption is not enabled for the traffic.
AnswerD

Without SSL decryption, encrypted traffic cannot be fully inspected, leading to 'incomplete' App-ID.

Why this answer

Option D is correct because SSL decryption is required to inspect encrypted traffic for App-ID to identify applications beyond the SSL protocol itself. Without decryption, the traffic may remain as 'incomplete' if the payload is encrypted. Option A is wrong because App-ID updates do not affect classification of encrypted traffic without decryption.

Option B is wrong because policy configuration does not cause incomplete classification. Option C is wrong because asymmetric routing can cause incomplete, but it is less common than lack of decryption in this scenario.

452
MCQhard

Refer to the exhibit. What does the 'Session End Reason: aged-out' indicate about the traffic?

A.The session was terminated by a firewall policy.
B.The session was idle for longer than the timeout threshold.
C.The session was forcibly closed by an administrator.
D.The session ended due to a TCP FIN/RST from the client.
AnswerB

Aged-out indicates the session was idle and reached the timeout.

Why this answer

The 'Session End Reason: aged-out' indicates that the firewall terminated the session because it remained idle for longer than the configured timeout threshold. Palo Alto Networks firewalls use application-specific timeouts (e.g., TCP default 3600 seconds, UDP 30 seconds) to free resources from sessions that have stopped transmitting data. This is a normal cleanup mechanism, not a policy or explicit termination.

Exam trap

Palo Alto Networks often tests the misconception that 'aged-out' means the session was terminated by a security policy or explicit reset, but the trap here is that 'aged-out' specifically refers to an idle timeout, not a policy action or TCP handshake termination.

How to eliminate wrong answers

Option A is wrong because a firewall policy termination would show 'Session End Reason: policy-deny' or similar, not 'aged-out'. Option C is wrong because an administrator forcibly closing a session would generate a 'Session End Reason: admin-reset' or 'session-manager clear session' event. Option D is wrong because a TCP FIN/RST from the client would result in 'Session End Reason: tcp-fin' or 'tcp-rst', not 'aged-out', which specifically indicates idle timeout.

453
MCQeasy

A school district wants to allow YouTube for Education (a subcategory of YouTube) but block general YouTube traffic. The firewall uses URL filtering and App-ID. Currently, all YouTube traffic is identified as 'youtube' application, and the URL filtering category is 'educational-videos' for the education version. The administrator creates a security rule that allows application 'youtube' and URL category 'educational-videos'. However, all YouTube traffic is being blocked. What is the most likely cause?

A.The rule must also specify the source zone.
B.The application 'youtube' matches all YouTube traffic, so the URL category does not further filter because the application is matched first.
C.The URL category is not being applied because the traffic is encrypted and SSL decryption is not enabled.
D.The URL filtering license is not installed or expired.
AnswerC

Without decryption, the firewall cannot see the URL, so the URL category condition never matches.

Why this answer

Option D is correct: YouTube traffic uses HTTPS, and without SSL decryption, the firewall cannot inspect the URL. Therefore, the URL category condition fails, and the rule does not match. The traffic is then denied by a default deny rule.

Option A is wrong because the URL filtering license is required but typically already in place. Option B is wrong because zones are configured. Option C is wrong because application and URL category are ANDed; the issue is decryption, not logic.

454
MCQmedium

Users are unable to authenticate via Captive Portal. The firewall receives authentication requests but they time out. What should be checked first?

A.The certificate used for the Captive Portal page
B.The session timeout for authenticated users
C.The authentication sequence settings in the Captive Portal configuration
D.The User-ID agent mapping
AnswerC

If the sequence does not include reachable servers or has incorrect priorities, authentication requests may time out.

Why this answer

Option A is correct because the authentication sequence determines the order and fallback of authentication servers; if misconfigured, requests may time out without proper fallback. Option B is incorrect because the certificate is for SSL, not timeout. Option C is incorrect because the user-ID agent is not directly involved in Captive Portal authentication.

Option D is incorrect because the session timeout affects logged-in sessions, not the authentication process.

455
MCQhard

Refer to the exhibit. A site-to-site VPN is configured between two branches. The tunnel is up but traffic is not passing. What is the most likely issue?

A.The IKE gateway is not configured with the correct peer IP.
B.No security policy allows traffic from the VPN zone.
C.The proxy IDs do not match the remote peer.
D.The tunnel interface is not assigned to a zone.
AnswerB

Even though the tunnel is up, traffic can be blocked by security policy if no rule permits it.

Why this answer

When a site-to-site VPN tunnel is up but traffic is not passing, the most common cause is the absence of a security policy that permits traffic from the VPN zone to the destination zone. Even if IKE and IPsec SAs are established, the firewall drops the decrypted traffic if no rule explicitly allows it. This is a fundamental Palo Alto Networks concept: tunnel establishment and data forwarding are separate control and data plane functions.

Exam trap

Palo Alto Networks often tests the misconception that a tunnel being up automatically means traffic will pass, but Palo Alto Networks requires an explicit security policy to permit decrypted traffic from the VPN zone.

How to eliminate wrong answers

Option A is wrong because if the IKE gateway had an incorrect peer IP, the tunnel would not come up at all (IKE phase 1 would fail). Option C is wrong because mismatched proxy IDs would cause IPsec SA negotiation to fail, preventing the tunnel from reaching an up state. Option D is wrong because a tunnel interface not assigned to a zone would cause the interface itself to be inactive, and the tunnel would not show as up; the question states the tunnel is up, so the interface must be zoned.

456
Matchingmedium

Match each decryption type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Decrypts outbound traffic to inspect it

Decrypts inbound traffic to servers

Decrypts SSH traffic for policy enforcement

Traffic bypasses decryption

Sends decrypted traffic to a monitoring tool

Why these pairings

These are decryption options in Palo Alto Networks firewalls.

457
MCQeasy

After upgrading the software on an HA pair, the two firewalls report different HA states. Which command should be used to quickly verify the HA configuration synchronization status?

A.show high-availability pending-changes
B.show high-availability state
C.show high-availability sync-status
D.show high-availability link-monitoring
AnswerC

Displays config sync status between peers.

Why this answer

Option B is correct because 'show high-availability sync-status' displays the configuration sync state. Option A shows general HA state, not sync. Option C shows pending changes.

Option D shows HA2 link status.

458
MCQmedium

A company has deployed SSL Inbound Inspection to inspect HTTPS traffic to their internal web server hosting a custom application that requires mutual TLS authentication. The firewall is configured with a decryption policy that includes the server's certificate and the action 'decrypt'. The web server is configured to request client certificates. After implementation, users report that the application fails to authenticate them. The firewall logs show that SSL handshake with the client completes successfully, but the server never receives the client certificate during the handshake. The administrator has verified that the decryption policy is active and the server certificate is correctly imported. What is the most likely cause of this issue?

A.The decryption policy is set to 'no-decrypt' for the application's traffic.
B.The client certificates are not trusted by the firewall.
C.The firewall's SSL Inbound Inspection profile is set to 'passive' mode.
D.The firewall is not configured to forward client certificates to the server.
AnswerD

In SSL Inbound Inspection, the firewall must be configured to forward client certificates in the decryption profile; otherwise, it does not pass them.

Why this answer

In SSL Inbound Inspection, the firewall acts as a man-in-the-middle, terminating the client's SSL connection and then initiating a new SSL connection to the server. By default, the firewall does not forward the client certificate from the original client handshake to the server. To enable mutual TLS authentication, the administrator must explicitly configure the firewall to forward client certificates, typically via a Decryption Profile setting.

Since the logs show a successful handshake with the client but the server never receives the client certificate, the missing forwarding configuration is the most likely cause.

Exam trap

Palo Alto Networks often tests the distinction between SSL Forward Proxy and SSL Inbound Inspection, and candidates mistakenly assume that client certificates are automatically forwarded in inbound scenarios, when in fact they require explicit configuration in the decryption profile.

How to eliminate wrong answers

Option A is wrong because the decryption policy is verified as active and set to 'decrypt', not 'no-decrypt', and the logs show the SSL handshake completes successfully, which would not happen if decryption were disabled. Option B is wrong because the firewall does not validate client certificates during SSL Inbound Inspection unless specifically configured to do so; the issue is that the client certificate is not being forwarded, not that it is untrusted. Option C is wrong because 'passive' mode is not a valid setting in SSL Inbound Inspection profiles; the firewall uses 'decrypt' action for inbound inspection, and passive mode applies to SSL Forward Proxy decryption, not inbound scenarios.

459
MCQeasy

A network administrator wants to allow only specific applications such as 'facebook-base' and 'youtube' while blocking all other applications. Which type of security rule should be used to achieve this?

A.Create a security rule with application conditions set to 'facebook-base' and 'youtube' and action set to 'allow'.
B.Create a security rule with destination port 80 and 443 and action set to 'allow'.
C.Create a security profile that blocks all applications not in the allow list.
D.Create a URL filtering rule to allow 'social-networking' and 'multimedia' categories.
AnswerA

This rule allows only the specified applications.

Why this answer

Option A is correct because App-ID allows you to create a security rule that explicitly allows only the specified applications ('facebook-base' and 'youtube') while implicitly denying all other traffic. Since the default action for any traffic not matching an allow rule is 'deny', this rule achieves the goal of blocking all other applications without needing an explicit block rule.

Exam trap

The trap here is that candidates often confuse port-based rules (Option B) with application-based rules, assuming that allowing ports 80/443 is sufficient to control application access, but App-ID is required to distinguish between applications using the same port.

How to eliminate wrong answers

Option B is wrong because allowing destination ports 80 and 443 would permit all HTTP/HTTPS traffic, including applications like 'facebook-base' and 'youtube', but it would also allow many other web-based applications (e.g., 'twitter', 'dropbox'), failing to block them. Option C is wrong because security profiles (e.g., Antivirus, Vulnerability Protection) do not control which applications are allowed or blocked; they inspect traffic that is already permitted by the security rule's action. Option D is wrong because URL filtering rules control access based on URL categories, not application identities; 'social-networking' and 'multimedia' categories would include many applications beyond just 'facebook-base' and 'youtube', and URL filtering cannot enforce application-level granularity like App-ID can.

460
MCQhard

A GlobalProtect user cannot connect to any resources after authenticating successfully. Portal and gateway configurations appear correct. What is the most likely issue?

A.The user's GlobalProtect client software is outdated
B.The gateway's 'Allow Access' list does not include the user
C.The gateway's interface is not in the same zone as the portal
D.The portal's 'Access' list does not include the user
AnswerB

The gateway can restrict access based on user or group; if the user is not allowed, the connection is dropped.

Why this answer

Even after authentication, the gateway's 'Allow Access' list controls which users are permitted to establish the VPN tunnel. If the user is not listed, the gateway will reject the connection.

461
MCQhard

In an active/passive HA pair, the passive firewall shows state 'non-functioning'. Both firewalls are running PAN-OS 10.1.5. What is the most likely cause?

A.Heartbeat interface down
B.Firmware version mismatch (one firewall is on 10.1.4)
C.Management IP mismatch
D.License mismatch
AnswerB

HA requires exact PAN-OS version match. Even a minor patch difference can cause synchronization failure.

Why this answer

HA requires identical PAN-OS versions. A minor version mismatch, even a patch level difference, can cause the passive firewall to fail to synchronize.

462
Multi-Selecteasy

A security administrator needs to block an application that uses multiple ports, including dynamic ports. Which of the following methods can be used to block this application using App-ID? (Choose two.)

Select 2 answers
A.Create an application override to force identification of the application on all ports.
B.Create a security rule with the application set to the malicious application and action Deny.
C.Use decryption to inspect the application content.
D.Create a custom application with multiple default ports.
E.Create a security rule with the destination port range that covers all possible ports.
AnswersB, D

Correct: Denying by application blocks the traffic regardless of port.

Why this answer

Creating a security rule with the application set denies traffic based on App-ID identification, independent of port. A custom application can define multiple default ports to aid identification, but the key is that denial is based on application identity, not port.

463
MCQhard

A large organization uses GlobalProtect for remote access. Users report that they can connect to the portal and download the client, but the client fails to establish a tunnel after connecting. The firewall's GlobalProtect gateway is configured with an authentication profile that uses LDAP. The gateway is configured to use an internal IP pool. The administrator checks the GlobalProtect logs and sees that the user authenticates successfully, but the gateway fails to assign an IP address. The IP pool is configured with a range of 10.10.10.100-10.10.10.200. The administrator verifies that there are no other devices using those IPs. The gateway is on a different subnet than the IP pool. What is the most likely cause?

A.The gateway's interface is not in the same subnet as the IP pool
B.The GlobalProtect client is outdated
C.The LDAP authentication profile is misconfigured
D.The client certificate is not trusted by the gateway
AnswerA

GlobalProtect gateway requires the IP pool to be on the same subnet as the gateway's interface for proper routing.

Why this answer

The GlobalProtect gateway must have an interface in the same subnet as the IP pool to successfully assign an IP address to the client. When the gateway is on a different subnet, it cannot route or respond to ARP requests for the assigned IP, causing the IP assignment to fail even though authentication succeeds. This is a common misconfiguration because the IP pool is used for tunnel interface addressing, and the gateway's egress interface must be able to directly communicate with the pool range.

Exam trap

The trap here is that candidates assume IP pool assignment is independent of the gateway's interface subnet, but the gateway must have a directly connected route to the pool range for the tunnel to establish.

How to eliminate wrong answers

Option B is wrong because an outdated client would typically cause connection or feature issues, not a failure to assign an IP address after successful authentication. Option C is wrong because the LDAP authentication profile is confirmed working—the user authenticates successfully—so the issue lies after authentication. Option D is wrong because client certificate trust is not relevant here; the gateway is using LDAP authentication, not certificate-based authentication, and the client successfully connects to the portal.

464
Drag & Dropmedium

Arrange the steps to configure a new zone on a Palo Alto Networks firewall in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Zones are created under the Network tab, with a name and type specified.

465
Multi-Selectmedium

Which TWO factors can cause a firewall to not show any User-ID mapping for a user who is actively logged in?

Select 2 answers
A.The user is using a VPN connection from a remote location
B.The firewall's User-ID agent is in collector mode
C.The User-ID agent is not configured with the firewall's IP as a client
D.The user's traffic is being decrypted by SSL decryption
E.The domain controller is not forwarding security events to the User-ID agent
AnswersC, E

The agent must have the firewall listed as a client to send mappings.

Why this answer

Option C is correct because the User-ID agent must be configured with the firewall's IP address as a client to forward user-to-IP mappings. Without this configuration, the firewall will not receive the mapping data from the agent, even if the user is actively logged in and the agent is collecting security events from the domain controller.

Exam trap

The trap here is that candidates often confuse 'collector mode' with a failure to send mappings, but collector mode actually aggregates and forwards data, so it does not cause missing mappings; the real issue is the missing client IP configuration on the agent.

466
Multi-Selecthard

Which THREE of the following are capabilities of GlobalProtect Host Information Profile (HIP)?

Select 3 answers
A.Check the user's location
B.Check the browser version
C.Check if antivirus is installed and running
D.Check if disk encryption is enabled
E.Check the operating system version
AnswersC, D, E

HIP can verify antivirus status.

Why this answer

HIP collects system information such as OS, antivirus, disk encryption, and firewall status to enforce compliance.

467
Drag & Dropmedium

Arrange the steps to perform a factory reset on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Factory reset clears all configurations and reboots the device.

468
Multi-Selectmedium

Which TWO of the following are required for stateful failover in an Active/Passive HA pair?

Select 2 answers
A.HA3 link configured with a dedicated interface.
B.HA1 link configured with a dedicated interface.
C.HA2 link configured with a dedicated interface.
D.Heartbeat backup link configured.
E.Session table synchronization enabled.
AnswersB, C

HA1 is mandatory for heartbeat and management sync.

Why this answer

In an Active/Passive HA pair, stateful failover requires the HA1 link (management/control plane synchronization) and the HA2 link (data plane session synchronization) to be configured with dedicated interfaces. The HA1 link ensures heartbeat and configuration sync, while the HA2 link synchronizes session tables so that the passive firewall can seamlessly take over active sessions without disruption.

Exam trap

The trap here is that candidates often confuse the HA3 link (used for packet forwarding) as mandatory for stateful failover, or they think session table synchronization is a separate toggle rather than an inherent function of the HA2 link.

469
MCQeasy

A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?

A.allow
B.reset-both
C.deny
D.drop
AnswerA

'allow' permits the traffic.

Why this answer

The correct action is 'allow' because the security engineer needs to permit inbound HTTPS traffic from the Untrust zone to the DMZ web server. In Palo Alto Networks firewalls, the security policy action 'allow' explicitly permits the traffic to pass through the firewall, which is required for legitimate inbound web traffic.

Exam trap

The trap here is that candidates may confuse 'deny' with 'drop' or think 'reset-both' is a valid way to allow traffic, but only 'allow' actually permits the session to be established and pass through the firewall.

How to eliminate wrong answers

Option B (reset-both) is wrong because it sends TCP RST packets to both the client and server, which would terminate the HTTPS connection rather than allowing it. Option C (deny) is wrong because it discards the traffic and sends a TCP RST to the sender, blocking the inbound HTTPS traffic. Option D (drop) is wrong because it silently discards the traffic without any notification, which would also prevent the HTTPS traffic from reaching the web server.

470
MCQmedium

A Palo Alto Networks firewall is configured with multiple virtual routers. Traffic between two different virtual routers is not being forwarded. What is required to enable routing between them?

A.Configure a zone protection profile.
B.Configure a static route between the virtual routers.
C.Enable inter-VR routing with a security policy.
D.Use a virtual wire to connect them.
AnswerC

Traffic between virtual routers must be explicitly allowed by a security policy with the correct zones.

Why this answer

By default, Palo Alto Networks firewalls isolate traffic between virtual routers (VRs) to enforce segmentation. To allow inter-VR routing, you must explicitly enable it by creating a security policy that permits the traffic between the zones associated with each VR. This policy acts as the routing decision point, allowing the firewall to forward packets from one VR to another.

Exam trap

The trap here is that candidates often assume static routes can be configured between virtual routers, but Palo Alto does not support inter-VR static routes; instead, inter-VR routing is controlled solely by security policies.

How to eliminate wrong answers

Option A is wrong because zone protection profiles are used to defend against network-based attacks (e.g., floods, reconnaissance) and do not control routing between virtual routers. Option B is wrong because static routes are defined within a single virtual router to direct traffic to next-hop destinations; they cannot be configured between VRs as VRs are independent routing tables. Option D is wrong because a virtual wire is a Layer 2 transparent mode that forwards frames without routing, and it cannot connect two virtual routers which operate at Layer 3.

471
MCQeasy

An administrator wants to receive SNMP traps from the firewall for critical events such as failed login attempts and high CPU usage. Which configuration step is required?

A.Enable SNMP monitoring on the interface.
B.Set up a log forwarding profile with SNMP action.
C.Create an SNMP read-only community string.
D.Configure an SNMP trap destination under Device > Setup > SNMP Trap.
AnswerD

This defines where traps are sent and which events trigger them.

Why this answer

To receive SNMP traps from a Palo Alto Networks firewall, you must configure the trap destination under Device > Setup > SNMP Trap. This step defines where the firewall sends SNMP notifications (traps) for events like failed login attempts and high CPU usage. Without a configured trap destination, the firewall will not transmit any SNMP traps, even if other SNMP settings are enabled.

Exam trap

The trap here is that candidates often confuse SNMP polling (which requires read-only community strings and interface monitoring) with SNMP trap generation (which requires a separate trap destination configuration), leading them to select options A or C instead of D.

How to eliminate wrong answers

Option A is wrong because enabling SNMP monitoring on an interface allows the firewall to be polled via SNMP (e.g., for MIB data), but it does not configure the firewall to send unsolicited traps. Option B is wrong because log forwarding profiles are used to forward logs to external services (e.g., syslog, email), not to send SNMP traps; SNMP trap configuration is separate and does not use log forwarding profiles. Option C is wrong because creating an SNMP read-only community string is required for SNMP polling (read access to MIB objects), but it is not necessary for sending traps; traps use a separate community string (often the same, but the trap destination configuration is the critical step).

472
Multi-Selecthard

A firewall is part of a Panorama-managed environment. The administrator needs to ensure that only specific administrators can commit changes to devices. Which TWO actions are required? (Choose two.)

Select 2 answers
A.Enable Multi-Factor Authentication for all admins.
B.Configure role-based access on Panorama.
C.Create an admin role with commit scope limited to specific device groups.
D.Use template stacks to restrict commit permissions.
E.Set the firewall to require approval for commits.
AnswersB, C

Panorama RBAC defines which administrators can commit changes to which device groups.

Why this answer

Options A and B are correct. Creating an admin role with commit scope limited to specific device groups (A) and configuring role-based access on Panorama (B) are necessary to restrict commit permissions to specific administrators. Option C is incorrect because Multi-Factor Authentication is for authentication, not commit restriction.

Option D is incorrect because template stacks are for template management. Option E is incorrect because Panorama does not have a built-in commit approval workflow.

473
MCQeasy

Refer to the exhibit. A firewall system log contains a critical license expiration entry for URL Filtering. What will happen to URL Filtering functionality?

A.The firewall will stop passing traffic until the license is renewed.
B.URL Filtering will stop working immediately until a new license is installed.
C.URL Filtering will continue to use the last downloaded URL database but will not receive updates.
D.The firewall will automatically fall back to a basic URL category list.
AnswerC

Licensed features continue to function with the last downloaded data when the license expires.

Why this answer

Option C is correct: When a license expires, the related functionality typically continues to work with the last downloaded signature database but does not update; Palo Alto Networks firewalls do not automatically disable the feature but it may stop updating. Option A is wrong because the feature does not stop working immediately; it continues with existing data. Option B is wrong because the firewall does not automatically switch to a secondary method.

Option D is wrong because a warning is displayed but the administrator is not locked out.

474
Multi-Selecthard

A security engineer is deploying a Palo Alto Networks firewall in a branch office. The firewall must enforce the following security policies: (1) Allow outbound HTTPS traffic from internal users to the internet. (2) Block all inbound traffic from the internet to the internal network except for SMTP traffic to a specific mail server. (3) Allow outbound DNS traffic from internal DNS servers to external DNS servers. Which TWO security rules should the engineer create to satisfy these requirements? (Choose two.)

Select 2 answers
A.Rule: from internal to external, source any, destination any, application any, service tcp/443, action allow.
B.Rule: from internal to external, source internal-users, destination any, application ssl, service application-default, action allow.
C.Rule: from external to internal, source any, destination mail-server-ip, application smtp, service application-default, action allow.
D.Rule: from internal to external, source any, destination any, application any, service any, action allow.
E.Rule: from internal to external, source any, destination any, application web-browsing, service application-default, action allow.
AnswersB, C

Correctly allows HTTPS with application-based control.

Why this answer

Option B is correct because it uses the 'ssl' application to match HTTPS traffic, which is the proper application-based method for allowing outbound HTTPS. This rule specifies the source as 'internal-users' and destination as 'any', with the action 'allow', meeting requirement (1) without over-permitting. Option C is correct because it creates a rule from 'external' to 'internal', targeting the mail server IP with application 'smtp' and service 'application-default', which blocks all inbound traffic except SMTP to that specific server, satisfying requirement (2).

Exam trap

The trap here is that candidates often confuse 'web-browsing' (HTTP) with 'ssl' (HTTPS) or rely on port-based rules (service tcp/443) instead of application-based rules, which Palo Alto emphasizes for proper security policy enforcement.

475
Multi-Selectmedium

A security administrator is trying to isolate a performance issue on a PA-3220. Which two commands provide real-time information about the dataplane performance? (Choose two.)

Select 2 answers
A.show system resources dataplane
B.show counter global
C.show running resource-monitor
D.show session info
E.show job all
AnswersA, C

This command displays dataplane-specific resource statistics in real time.

Why this answer

The correct answers are A and B because both 'show running resource-monitor' and 'show system resources dataplane' provide real-time dataplane CPU and memory usage.

476
MCQhard

A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?

A.Another rule earlier in the policy matches the traffic and allows it before reaching this rule.
B.The firewall is configured to not log interzone traffic.
C.The source address 10.1.0.0/16 is not part of the 10.0.0.0/8 subnet.
D.The logging profile is not applied to the rule.
AnswerA

If an earlier rule allows the traffic, this rule is never evaluated, and logging is not triggered.

Why this answer

Option A is correct because in a Palo Alto Networks firewall, security rules are evaluated from top to bottom, and the first matching rule is applied. If an earlier rule in the policy matches the traffic from 10.1.0.0/16 and allows it, the rule with logging at rule end will never be evaluated, and thus no log entry is generated for that traffic.

Exam trap

The trap here is that candidates may assume a subnet like 10.1.0.0/16 is not part of 10.0.0.0/8, but in CIDR notation, 10.1.0.0/16 is indeed a subset of 10.0.0.0/8, so the issue is rule order, not address mismatch.

How to eliminate wrong answers

Option B is wrong because interzone traffic logging is not a global setting that can be disabled; logging is controlled per rule via the log setting at rule start or end. Option C is wrong because 10.1.0.0/16 is a subset of 10.0.0.0/8, so it is included in the source address range. Option D is wrong because the logging profile is not required for basic logging; setting logging at rule end enables logging without a separate profile.

477
MCQeasy

A network engineer is configuring a new PA-220 firewall. They need to allow HTTP traffic from the 'trust' zone to the 'untrust' zone. However, the traffic is being dropped. A packet capture shows that the SYN packet is received but no SYN-ACK is sent. What is the most likely cause?

A.There is no NAT policy to translate the source IP.
B.The destination IP is not reachable from the firewall.
C.The firewall is not configured to inspect HTTP traffic.
D.The security policy does not have an allow rule for HTTP.
AnswerB

If the firewall cannot route to the destination, it will drop the SYN.

Why this answer

The packet capture shows the SYN packet is received by the firewall but no SYN-ACK is sent. This indicates the firewall is not completing the TCP three-way handshake. The most common cause is that the destination IP is not reachable from the firewall, meaning the firewall cannot route the SYN packet to the next hop or the destination host is down.

In this scenario, the firewall drops the SYN packet silently without generating a SYN-ACK because it cannot establish a session.

Exam trap

The trap here is that candidates often assume a missing security policy or NAT rule is the cause when a SYN packet is received but no SYN-ACK is sent, but the correct diagnostic is to check routing and destination reachability first.

How to eliminate wrong answers

Option A is wrong because a missing NAT policy would cause the source IP to remain private, but the firewall would still forward the SYN packet and expect a SYN-ACK from the destination; the issue here is that no SYN-ACK is sent at all, which points to a routing or reachability problem, not NAT. Option C is wrong because HTTP inspection is not required for basic HTTP traffic to pass; the firewall can forward HTTP traffic with a simple allow rule and no application inspection. Option D is wrong because if the security policy lacked an allow rule, the firewall would drop the SYN packet and typically generate a deny log entry, but the packet capture shows the SYN packet is received, meaning the security policy is not the issue; the problem is that the firewall cannot forward the packet to the destination.

478
MCQhard

An administrator is troubleshooting VPN tunnel flapping. The logs show multiple Phase 2 rekeys. The tunnel uses IKEv2 with pre-shared key. What is the most likely cause?

A.Mismatched IKE version.
B.Dead Peer Detection (DPD) interval too long.
C.The rekey time settings are too short.
D.Incorrect local or peer ID.
AnswerC

Short rekey intervals cause the tunnel to renegotiate frequently, leading to flapping.

Why this answer

The correct answer is D because frequent rekeys due to short rekey time settings can cause the tunnel to flap.

479
MCQhard

An enterprise requires separate administrative domains within a single firewall chassis for different business units. Each domain must have its own virtual router, security policies, and interface configuration. What is the appropriate PAN-OS feature?

A.Administrative roles with RBAC
B.Multiple contexts
C.Multiple virtual routers
D.Multiple virtual systems (vsys)
AnswerD

Virtual systems enable multi-tenancy with separate configurations per tenant.

Why this answer

Option D is correct because Virtual Systems (vsys) are the PAN-OS feature that enables partitioning a single physical firewall into multiple independent virtual firewalls. Each vsys operates with its own virtual router, security policies, and interface configuration, meeting the requirement for separate administrative domains for different business units within one chassis.

Exam trap

The trap here is confusing the Cisco term 'multiple contexts' with PAN-OS Virtual Systems, as candidates familiar with Cisco firewalls may incorrectly select Option B, not realizing that PAN-OS uses a different terminology and architecture for multi-tenancy.

How to eliminate wrong answers

Option A is wrong because Administrative roles with RBAC control user permissions and access to the firewall's management functions, but they do not create separate network domains with independent virtual routers, policies, or interfaces. Option B is wrong because 'Multiple contexts' is a Cisco ASA/Firepower term for virtual firewalls, not a PAN-OS feature; PAN-OS uses Virtual Systems (vsys) for this purpose. Option C is wrong because Multiple virtual routers allow separate routing tables within a single firewall instance, but they do not provide isolated security policies, interfaces, or administrative domains—all virtual routers share the same vsys context unless combined with vsys.

480
Multi-Selectmedium

Which THREE components are part of the GlobalProtect infrastructure? (Choose three.)

Select 3 answers
A.Firewall management interface
B.GlobalProtect Gateway
C.GlobalProtect Client
D.GlobalProtect Portal
E.Authentication server
AnswersB, C, D

Gateway is the component that routes traffic and enforces policies.

Why this answer

Options A, B, and D are correct. The Portal distributes configuration, Gateways provide secure access, and Clients connect to them. Option C (Firewall management interface) is not part of GlobalProtect infrastructure; it's used for managing the firewall.

Option E (Authentication server) is a backend component but not part of GlobalProtect infrastructure itself.

481
MCQmedium

During a traffic spike, the firewall CPU utilization remains below 30% but the dataplane packet buffer usage is consistently above 90%. What is the most likely impact on firewall performance?

A.Reduced new session setup rate.
B.Reduced committed information rate (CIR) on QoS policies.
C.Increased latency for management access.
D.Increased packet drops due to buffer exhaustion.
AnswerD

When packet buffers are full, new packets are dropped.

Why this answer

When dataplane packet buffer usage exceeds 90% during a traffic spike, the firewall's packet buffers are nearly exhausted, leading to a condition where incoming packets cannot be stored temporarily for processing. This directly causes packet drops because the dataplane has no available buffers to enqueue new packets, even though CPU utilization remains low. Option D correctly identifies this as the primary impact, as buffer exhaustion results in tail-drop behavior for new packets.

Exam trap

The trap here is that candidates often assume high packet buffer usage automatically implies high CPU utilization, but the PCNSE exam tests the understanding that dataplane buffer exhaustion and CPU utilization are independent metrics, and buffer drops can occur even when CPU is idle.

How to eliminate wrong answers

Option A is wrong because reduced new session setup rate is typically caused by high CPU utilization or session table exhaustion, not by high packet buffer usage; the CPU is below 30%, so session setup should not be impaired. Option B is wrong because the committed information rate (CIR) on QoS policies is a traffic-shaping parameter that is not directly affected by packet buffer usage; QoS policies enforce bandwidth limits regardless of buffer occupancy. Option C is wrong because increased latency for management access is associated with high control-plane CPU or management-plane congestion, not with dataplane buffer exhaustion; management traffic uses separate queues and resources.

482
MCQeasy

Based on the exhibit, what is the most likely action for the firewall to take on this session?

A.Re-issue a new certificate to the client.
B.Block the session because the server certificate is invalid.
C.Drop the session and log a security alert.
D.Bypass decryption and allow the session to proceed.
AnswerD

Default behavior is to bypass when certificate verification fails.

Why this answer

The firewall is configured for SSL Forward Proxy decryption, but the server certificate is self-signed or otherwise untrusted (e.g., expired, mismatched CN). In such cases, the firewall cannot re-sign the certificate to establish a trusted decrypted session. The configured action for untrusted server certificates is 'bypass decryption,' which allows the session to proceed without decryption, logging the bypass.

Option D is correct because the firewall will not block or drop the session by default when bypass is configured.

Exam trap

The trap here is that candidates often assume an invalid server certificate always results in a block or drop, but the firewall's behavior depends on the configured 'untrusted certificate action' in the decryption policy, which can be set to bypass.

How to eliminate wrong answers

Option A is wrong because the firewall does not issue a new certificate to the client; in SSL Forward Proxy, the firewall generates a forged certificate on-the-fly signed by its own CA, but only if the server certificate is valid and trusted. Option B is wrong because the firewall does not block the session solely because the server certificate is invalid; it applies the configured untrusted certificate action, which can be 'bypass' or 'block,' and the exhibit shows bypass is configured. Option C is wrong because 'drop the session and log a security alert' would correspond to a 'block' action, not the 'bypass' action shown in the exhibit.

483
MCQeasy

An administrator wants to generate a report that shows the top applications by bandwidth usage over the last week. Which report type should be used to accomplish this?

A.URL Filtering Report
B.Application Report
C.Traffic Report
D.Threat Report
AnswerB

Application Report provides top applications by bandwidth.

Why this answer

The Application Report is designed to provide visibility into application usage, including bandwidth consumption, top applications, and application-level trends over a specified time period. This report type leverages the App-ID engine to classify traffic by application, regardless of port or protocol, making it the correct choice for identifying top applications by bandwidth usage.

Exam trap

The trap here is that candidates often confuse the Traffic Report (which shows raw byte counts) with application-level reporting, failing to realize that only the Application Report uses App-ID to break down bandwidth by application identity rather than by IP or port.

How to eliminate wrong answers

Option A is wrong because the URL Filtering Report focuses on web browsing activity based on URL categories and does not provide application-level bandwidth breakdowns. Option C is wrong because the Traffic Report shows raw traffic volume (bytes, packets, sessions) by source/destination or zone, but it does not natively aggregate or rank by application identity. Option D is wrong because the Threat Report is dedicated to security threats such as intrusions, malware, and vulnerabilities, not application bandwidth usage.

484
MCQmedium

A security team is deploying SSL Decryption for inbound traffic to protect against threats hidden in encrypted traffic. However, they want to exclude financial transactions that use client certificates for authentication. What is the best approach?

A.Create a decryption policy rule with a condition matching the client certificate.
B.Create a decryption policy rule that excludes the financial application based on URL category.
C.Use an SSL Forward Proxy decryption profile with 'Exclude Certificate' list.
D.Use a decryption policy rule with 'No Decrypt' action for the financial application.
AnswerD

Correct: This directly excludes traffic identified as the financial application from decryption.

Why this answer

The decryption policy allows you to set 'No Decrypt' action based on application or URL. Using an application identifier is precise and does not rely on URL categories, which may be broad.

485
MCQeasy

An organization wants to simplify firewall rule management by grouping related rules into logical units and applying them to specific sets of users or devices. Which Palo Alto Networks feature supports this requirement?

A.Security profiles
B.Security zones
C.Security policy rule groups
D.Application groups
AnswerC

Rule groups allow logical grouping of rules and assignment to user/device groups.

Why this answer

Security policy rule groups allow administrators to organize related firewall rules into logical units, which can then be applied to specific users or devices via policy-based forwarding or rule placement. This feature simplifies management by grouping rules that share a common purpose, such as those for a particular department or application, and enables targeted application without manual rule reordering. It directly addresses the requirement for logical grouping and selective application to users or devices.

Exam trap

The trap here is that candidates often confuse 'security policy rule groups' with 'application groups' or 'security zones', thinking that grouping applications or interfaces is equivalent to grouping the rules themselves, but only rule groups provide the logical unit structure for rule management and user/device targeting.

How to eliminate wrong answers

Option A is wrong because security profiles are components of security policy rules that define threat prevention, URL filtering, or file blocking actions, not a mechanism for grouping rules into logical units. Option B is wrong because security zones are logical interfaces that segment network traffic based on trust levels (e.g., untrust-L3, trust-L3), but they do not group rules themselves; they are used as source/destination criteria within rules. Option D is wrong because application groups are collections of applications used in policy rules to simplify application identification, but they do not group the rules themselves into logical units for management or user/device targeting.

486
MCQhard

A multinational organization uses a pair of PA-5250 firewalls in an active/passive high-availability configuration across two data centers. They need to ensure that all management traffic (SSH, HTTPS) to the firewalls is encrypted and sourced only from a dedicated management network (10.10.0.0/24). Which configuration meets these requirements?

A.Configure the firewall to use a dedicated management port and enable IP whitelisting in device settings.
B.Configure an interface management profile allowing SSH and HTTPS only from 10.10.0.0/24 and apply it to the management interface.
C.Use a loopback interface with an IP from the management subnet and attach an interface management profile.
D.Create a security policy allowing management access from 10.10.0.0/24 to the firewall's IP addresses.
AnswerB

The management interface can be restricted to specific IPs using the interface management profile under Device > Setup > Management.

Why this answer

Option B is correct because an interface management profile restricts allowed management services (SSH, HTTPS) to specific source IP addresses or subnets, and applying it to the management interface ensures only traffic from 10.10.0.0/24 can reach the firewall for encrypted management. This directly meets the requirement for encryption (SSH/HTTPS are inherently encrypted) and source restriction without relying on security policies, which do not control management-plane access.

Exam trap

The trap here is that candidates often confuse data-plane security policies with management-plane access control, incorrectly assuming a security rule can restrict SSH/HTTPS to the firewall itself, when in fact interface management profiles are the only mechanism for that purpose on Palo Alto firewalls.

How to eliminate wrong answers

Option A is wrong because enabling IP whitelisting in device settings is not a valid configuration on Palo Alto Networks firewalls; there is no such global whitelist feature—access control for management services is done via interface management profiles, not a device-level whitelist. Option C is wrong because a loopback interface with an IP from the management subnet would not inherently restrict source access; the interface management profile would still need to be applied to the loopback, and loopback interfaces are not typically used for out-of-band management traffic in a dedicated management network scenario. Option D is wrong because security policies control data-plane traffic (e.g., user traffic passing through the firewall), not management-plane traffic (SSH/HTTPS to the firewall itself); management access is governed by interface management profiles, not security rules.

487
MCQhard

During a security audit, it is discovered that a custom application signature matches too broadly, causing benign traffic to be classified as the custom app. What change should be made to narrow the signature?

A.Remove the protocol field from the signature.
B.Use a wider port range and remove data patterns.
C.Add a data pattern filter to match a specific payload signature.
D.Expand the port range to include more traffic.
AnswerC

Data patterns narrow matching to specific traffic characteristics.

Why this answer

Option D is correct because adding a data pattern filter (e.g., specific byte sequence) increases precision. Option A is wrong because removing protocol makes it broader. Option B is wrong because expanding port range makes it broader.

Option C is wrong because port ranges are not causal for overmatching if the data pattern is missing.

488
Multi-Selecthard

An engineer is troubleshooting a scenario where traffic from a specific source IP is not being logged although the security policy log setting is set to 'log at session end'. Which three conditions could prevent logging for that traffic? (Choose three.)

Select 3 answers
A.The traffic is denied by a rule that has logging disabled.
B.The source IP is in a global log filtering exclusion.
C.The session is terminated before session end (e.g., reset).
D.The traffic matches a rule with 'log at session start' only.
E.The firewall is exceeding its log rate capacity.
AnswersA, C, E

If the denying rule has no logging configured, no log is generated.

Why this answer

The correct answers are B, C, and D because a deny rule with logging disabled, log rate exceeded, or session reset can all prevent session-end logging.

489
MCQmedium

During a failover test, an engineer observes that after the active firewall fails, the passive firewall takes over, but existing UDP sessions are not maintained. What is the most likely reason?

A.The HA pair is in active/active mode
B.The failover delay timer is too long
C.UDP sessions are not synchronized by default in active/passive mode
D.Session synchronization is disabled on the passive firewall
AnswerC

Only TCP sessions are synced by default; UDP sessions require additional configuration.

Why this answer

Option C is correct because UDP sessions are not synchronized by default in active/passive mode; TCP sessions are synced. Option A is wrong because session sync is enabled by default. Option B is wrong because failover is immediate.

Option D is wrong because asymmetric routing does not prevent session sync.

490
Matchingmedium

Match each Palo Alto Networks feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application identification and control

User and group mapping for policies

Threat prevention including IPS and antivirus

Cloud-based malware analysis

Remote access VPN and mobile security

Why these pairings

These are core features of Palo Alto Networks firewalls.

491
Multi-Selecthard

Which THREE of the following are valid methods to enable traffic logging when configuring a security rule?

Select 3 answers
A.Set 'Log at Session End' in the rule.
B.Apply a Log Forwarding profile to the rule.
C.Enable 'Logging' under the rule's 'Actions' tab.
D.Configure 'Log at Rule Match' under the rule's 'Advanced' settings.
E.Set 'Log at Session Start' in the rule.
AnswersA, B, E

This logs when the session ends.

Why this answer

Option A is correct because setting 'Log at Session End' in a security rule explicitly instructs the firewall to generate a traffic log entry when the session terminates, capturing the complete session details including bytes transferred and duration. This is a direct method to enable logging for the rule's traffic.

Exam trap

The trap here is that candidates confuse the 'Actions' tab with logging settings, or assume a 'Log at Rule Match' option exists, when in reality logging is controlled exclusively via the 'Log at Session End' checkbox and Log Forwarding profiles.

492
MCQmedium

Based on the exhibit, what caused the last failover?

A.The HA2 link went down.
B.A preemption event occurred.
C.The peer firewall was rebooted.
D.The HA1 keepalive from the peer was lost.
AnswerD

The output shows 'last failure reason: peer HA1 keepalive lost'.

Why this answer

The exhibit shows 'HA1 keepalive from the peer was lost' as the last failover reason. In an active/passive HA pair, the passive firewall monitors HA1 keepalive messages from the active peer. When these keepalives are not received within the configured hello interval (default 1 second) and hold timer (default 3 seconds), the passive firewall assumes the active peer has failed and initiates a failover to become active.

Exam trap

The trap here is that candidates often confuse the HA1 link (control link for keepalives) with the HA2 link (data link for session sync), leading them to incorrectly select Option A when the actual failover trigger is loss of HA1 keepalive, not HA2 link failure.

How to eliminate wrong answers

Option A is wrong because the HA2 link is used for session synchronization and state propagation, not for keepalive monitoring; a HA2 link failure alone does not trigger a failover unless it also causes HA1 keepalive loss. Option B is wrong because a preemption event would be logged as 'Preempted by local firewall' or 'Preempted by peer firewall', not as a keepalive loss; preemption is a configuration-based event that occurs when the higher-priority firewall comes back online. Option C is wrong because if the peer firewall was rebooted, the failover reason would typically show 'Peer firewall rebooted' or 'HA1 keepalive from the peer was lost' only if the reboot caused keepalive failure, but the direct cause logged is the keepalive loss, not the reboot itself.

493
MCQhard

A firewall is configured with User-ID using the 'Server Monitoring' method via LDAP. The administrator notices that user-to-IP mappings are only being updated every 60 minutes instead of the configured 15-minute polling interval. The LDAP server is reachable and responds quickly. What configuration parameter is most likely causing the delayed update?

A.The firewall's 'Log Forwarding' profile is slowing down the User-ID process.
B.The 'User-ID' mapping aging time is set to 60 minutes.
C.The 'User-ID Agent' is configured with a 'Timeout' of 60 minutes.
D.The 'Server Monitoring' profile has a 'Retry Interval' set to 60 minutes.
AnswerB

The mapping aging time determines how often the mapping is refreshed; if longer than polling interval, it can override the polling interval.

Why this answer

The User-ID mapping aging time controls how long a user-to-IP mapping remains valid before it is considered stale and must be refreshed. If the aging time is set to 60 minutes, the firewall will not query the LDAP server for a new mapping until that timer expires, regardless of a shorter polling interval. This causes updates to appear only every 60 minutes, matching the symptom described.

Exam trap

The trap here is that candidates confuse the polling interval (how often the firewall checks LDAP) with the aging time (how long a mapping is kept before it must be refreshed), assuming a shorter polling interval always results in faster updates.

How to eliminate wrong answers

Option A is wrong because the Log Forwarding profile is used to send logs to external collectors and has no impact on the User-ID polling or mapping update frequency. Option C is wrong because the User-ID Agent timeout refers to how long the agent waits for a response from the firewall or domain controller, not the interval at which mappings are aged or refreshed. Option D is wrong because the Retry Interval in Server Monitoring defines how long to wait before retrying a failed LDAP query, not the period between successful polls or the aging of existing mappings.

494
MCQmedium

A firewall is configured with a destination NAT rule to translate public IP 203.0.113.10 to internal server 10.0.0.5 on port 443. Internal users from 10.0.0.0/24 can access the server using its private IP, but cannot access using the public IP. What should be configured to allow internal users to reach the server using the public IP?

A.Configure a source NAT rule that translates the internal source IP to the firewall's interface IP when the destination is the public IP.
B.Create a policy-based forwarding (PBF) rule to send the traffic to the server.
C.Add a security policy allowing traffic from internal zone to the public IP.
D.Add a static route on the firewall for the public IP pointing to the internal server.
AnswerA

This hairpin NAT rule ensures reply traffic goes through the firewall.

Why this answer

Option A is correct because when internal users send traffic to the public IP (203.0.113.10), the firewall performs destination NAT, translating the destination to 10.0.0.5. However, the return traffic from the server is sent directly to the internal user's IP (since they are on the same subnet), bypassing the firewall and causing asymmetric routing. A source NAT rule (often called NAT hairpin or NAT reflection) translates the internal source IP to the firewall's interface IP, forcing return traffic to go through the firewall and maintain session state.

Exam trap

The trap here is that candidates often think a security policy or route is sufficient, but they miss the fundamental requirement for symmetric routing in stateful firewalls, where the return traffic must traverse the same firewall that performed the NAT.

How to eliminate wrong answers

Option B is wrong because policy-based forwarding (PBF) is used to route traffic based on criteria like source/destination IP or application, not to solve NAT hairpin issues; it would not fix the asymmetric routing problem. Option C is wrong because a security policy alone does not address the NAT or routing issue; the traffic is already allowed if the server is reachable via private IP, and the problem is that the return traffic bypasses the firewall. Option D is wrong because adding a static route for the public IP pointing to the internal server would cause the firewall to route traffic directly to the server without performing NAT, breaking the translation and potentially causing routing loops or incorrect forwarding.

495
MCQmedium

The administrator intended to create a sub-interface for VLAN 10 with IP 192.168.10.1/24. However, traffic from VLAN 10 is not being routed through this interface. Based on the exhibit, what is the cause?

A.The VLAN ID is misconfigured as 20 instead of 10.
B.The IP netmask is /24 but should be /16.
C.The zone is incorrectly named 'VLAN10'.
D.The virtual router is not correctly set.
AnswerA

The sub-interface expects VLAN tag 20, but traffic from VLAN 10 uses tag 10.

Why this answer

The exhibit shows the sub-interface is configured with VLAN ID 20, but the administrator intended VLAN 10. In Palo Alto Networks firewalls, sub-interfaces use 802.1Q VLAN tagging, and the VLAN ID must match the tag on incoming frames. Mismatched VLAN IDs cause the firewall to drop or ignore traffic because the sub-interface only processes frames with the configured tag.

Exam trap

The trap here is that candidates often confuse the VLAN ID on the sub-interface with the IP subnet or zone name, assuming a mismatch in IP addressing or zone naming is the root cause, when in fact the VLAN tag mismatch is the direct and immediate reason traffic is not processed.

How to eliminate wrong answers

Option B is wrong because the /24 netmask is correct for a /24 subnet (192.168.10.0/24); a /16 would incorrectly expand the subnet to 192.168.0.0/16, causing routing issues but not preventing VLAN 10 traffic from reaching the interface. Option C is wrong because the zone name 'VLAN10' is purely a logical label and has no effect on VLAN tagging or traffic forwarding; zones are security boundaries, not VLAN identifiers. Option D is wrong because the virtual router assignment is independent of VLAN tagging; even if the virtual router were misconfigured, traffic would still reach the sub-interface and be processed, but routing would fail later—not the cause of traffic not being routed through the interface.

496
Multi-Selectmedium

Which THREE of the following are valid configuration elements for a tunnel interface in Palo Alto Networks?

Select 3 answers
A.Zone
B.IP address
C.Traffic shaping policy
D.Management Profile
E.Netflow profile
AnswersA, B, D

A tunnel interface must be assigned to a zone for security policy.

Why this answer

A tunnel interface requires an IP address, a zone assignment, and optionally a management profile for management access.

497
Multi-Selecthard

Which THREE of the following can cause App-ID to incorrectly identify traffic?

Select 3 answers
A.Multiple security rules are configured for the same traffic.
B.Asymmetric routing causes the firewall to see only one direction of traffic.
C.SSL decryption is not enabled for the traffic.
D.IP fragmentation occurs before the firewall.
E.Traffic is forwarded through an HTTP proxy.
AnswersB, C, D

Asymmetric routing can prevent the firewall from seeing the full session, causing inaccurate identification.

Why this answer

Asymmetric routing causes App-ID to see only one direction of traffic (e.g., SYN but no SYN-ACK). App-ID relies on bidirectional flow inspection to identify applications; without seeing both directions, the firewall cannot complete the application signature match or protocol handshake, leading to incorrect or failed identification.

Exam trap

The trap here is that candidates often think IP fragmentation is a rare or non-impactful scenario, but it directly prevents App-ID from seeing complete application headers, making it a common cause of misidentification in real-world networks.

498
MCQmedium

A network engineer is configuring App-ID for a custom application that uses a proprietary protocol over TCP port 12345. The application's traffic is not being identified as expected. Which configuration change should the engineer make to ensure the firewall correctly identifies this application?

A.Create a security policy rule with an application override to match the port.
B.Define a custom application with the appropriate protocol, port, and optionally a signature.
C.Enable SSL decryption on the traffic to inspect encrypted payloads.
D.Add the port to the default application's 'port' field in the application object.
AnswerB

Custom application objects allow the firewall to identify the traffic based on port and/or signature.

Why this answer

Option B is correct because when a custom application uses a proprietary protocol over a non-standard port, the firewall cannot rely on its built-in App-ID signatures. By defining a custom application object with the correct protocol (TCP), port (12345), and optionally a protocol-level signature (e.g., a byte pattern or sequence), the firewall can accurately identify the traffic. This ensures that App-ID can match the traffic even if the port is not commonly associated with any known application.

Exam trap

The trap here is that candidates often confuse 'application override' (which disables App-ID) with 'custom application' (which enhances App-ID), leading them to choose option A when they should instead define a new application object with the correct port and signature.

How to eliminate wrong answers

Option A is wrong because an application override bypasses App-ID entirely, forcing the firewall to treat all traffic on that port as the specified application, which defeats the purpose of dynamic identification and can lead to misclassification or security gaps. Option C is wrong because SSL decryption is irrelevant for a proprietary protocol that does not use TLS/SSL; decrypting encrypted payloads would not help if the traffic is not encrypted or if the protocol is not HTTP-based. Option D is wrong because modifying the default application's 'port' field would incorrectly associate a custom protocol with a built-in application, potentially causing false positives and breaking App-ID's ability to distinguish between applications.

499
MCQmedium

An organization uses a SaaS application that runs on a dynamic set of IP addresses. The application traffic is currently identified as ssl and not as the specific application. How can the administrator improve application identification for this SaaS application?

A.Disable App-ID for that traffic to reduce overhead.
B.Create a custom application with hostname conditions.
C.Use a port-based application override.
D.Configure a URL filtering category for the application.
AnswerB

Hostname conditions match the SNI in TLS, allowing identification even with dynamic IPs.

Why this answer

Option C is correct: Creating a custom application with hostname conditions (e.g., using SNI) allows the firewall to identify the SaaS application even when IPs change. Option A is wrong because port override bypasses App-ID. Option B is wrong because URL filtering does not affect App-ID.

Option D is wrong because disabling App-ID is counterproductive.

500
MCQmedium

Refer to the exhibit. An engineer configures HA with link monitoring and path monitoring. However, failover does not occur when ethernet1/2 goes down. What is the likely reason?

A.The HA group-id is not unique in the network
B.HA2 link is down preventing failover
C.Path monitoring interval is set too high, causing delayed failover
D.'link-monitoring' is configured under the high-availability hierarchy but not explicitly enabled
AnswerD

In PAN-OS, link monitoring must be enabled with 'enable yes' under high-availability; interfaces alone do not enable it.

Why this answer

Option A is correct because only failed interfaces are shown? Wait the exhibit shows link-monitoring with interfaces ethernet1/1 and ethernet1/2, but the failure condition is 'any' so if either goes down, failover should occur. But the question says failover does not occur when ethernet1/2 goes down. Possibly the interface is not included? Actually the config includes both.

Perhaps the issue is that path monitoring might override? No. Option C seems plausible: the group-id might be missing? But it's there. Let's think: The most common mistake is that link monitoring must be enabled globally.

Option A is about global enable. Option B: HA2 misconfigured? irrelevant. Option C: group-id missing? But it's present.

Option D: path monitoring interval too high? doesn't affect link monitoring. So the correct answer is A: Link monitoring is not enabled globally. The exhibit shows 'link-monitoring { interfaces ...' but global 'enable' for link monitoring is missing? Actually in Palo Alto config, you need to set 'link-monitoring enable yes' at the high-availability level.

The snippet shows 'link-monitoring { interfaces ...' but no 'enable yes' before that. That is a common pitfall. So option A is correct.

501
MCQhard

A large enterprise uses an active/passive HA pair of PA-5250 firewalls to secure their data center. The network team recently migrated from a flat network to a VXLAN-based overlay. After the migration, they notice that during failover tests, the new active firewall does not forward traffic for VXLAN-terminated VLANs, even though the physical interfaces are up and the HA state transitions correctly. The configuration uses subinterfaces on Ethernet1/1 for each VLAN, with VXLAN tunnel termination on the firewall. The passive firewall receives the configuration sync, but show vxlan tunnel shows no VXLAN tunnels on the new active firewall after failover. The sessions are synced via HA2. The ARP table is correct. Which course of action should the engineer take to resolve the issue?

A.Add static routes for the VXLAN tunnel endpoints on the passive firewall.
B.Enable VXLAN tunnel synchronization under HA setup.
C.Reboot the new active firewall to reload the VXLAN configuration.
D.Configure a policy to send a small amount of traffic through each VXLAN tunnel to trigger tunnel establishment on the new active firewall.
AnswerD

This will cause the firewall to re-establish the VXLAN tunnels dynamically.

Why this answer

Option D is correct because VXLAN tunnels on Palo Alto Networks firewalls are dynamically established based on data-plane traffic. After a failover, the new active firewall does not automatically rebuild the tunnels; it requires traffic to trigger the tunnel establishment. Sending a small amount of traffic through each VXLAN tunnel forces the firewall to initiate the VXLAN tunnel setup, populating the 'show vxlan tunnel' output and restoring traffic forwarding.

Exam trap

The trap here is that candidates assume configuration sync includes dynamic tunnel state, but Palo Alto Networks firewalls do not synchronize VXLAN tunnel state across HA peers, requiring traffic to trigger tunnel establishment on the new active firewall.

How to eliminate wrong answers

Option A is wrong because static routes for VXLAN tunnel endpoints are not required; the firewall learns the tunnel endpoints via the VXLAN configuration and ARP, and adding static routes does not address the dynamic tunnel establishment issue. Option B is wrong because VXLAN tunnel synchronization is not a configurable feature under HA setup; Palo Alto Networks firewalls do not synchronize VXLAN tunnel state via HA2, only session and configuration sync occur. Option C is wrong because rebooting the firewall would not resolve the issue; the VXLAN configuration is already present from the sync, but the tunnels are not established until data traffic triggers them, and a reboot would cause unnecessary downtime without fixing the root cause.

502
Multi-Selectmedium

Which THREE of the following are valid actions that can be taken on a dynamic block list entry? (Choose three.)

Select 3 answers
A.Remove an IP address
B.Add an IP address
C.View the list of blocked IPs
D.Add a username to block
E.Convert a dynamic entry to a static entry
AnswersA, B, C

Entries can be removed manually.

Why this answer

Option A is correct because the dynamic block list in PAN-OS allows administrators to remove an IP address from the list using the 'delete' action via the CLI or API. This is a standard operation for managing entries that were automatically added by automated threat prevention features like WildFire or AutoFocus.

Exam trap

Palo Alto Networks often tests the misconception that the dynamic block list supports usernames or can convert entries to static, but the list is strictly IP-based and temporary by design.

503
MCQhard

A large enterprise uses a pair of PA-5250 firewalls in an active/passive high availability configuration to protect their data center. The firewalls are connected to two upstream switches via aggregate Ethernet (AE) interfaces. The network team recently replaced the upstream switches, and since then, the passive firewall has gone into a 'non-functional' state. The active firewall shows no issues. The HA1 link is a direct cable connection between the firewalls, and HA2 is an out-of-band dedicated link. The administrative status of both firewalls is 'active-active' in the HA monitoring, but only one firewall is actually forwarding traffic. The team needs to restore proper HA operation. Which action should the team take first?

A.Verify the physical connectivity and configuration of the HA2 link, as session synchronization failure can cause the passive node to be non-functional.
B.Reboot the passive firewall to attempt to re-establish HA communication.
C.Check the logs on the passive firewall for new critical events during the switch replacement.
D.Review the path monitoring configuration on both firewalls to ensure that the AE link to the new switches is correctly monitored for failover.
AnswerD

Path monitoring checks data plane connectivity; if the monitored interface is down or misconfigured, the passive firewall goes non-functional. The switch replacement likely altered link characteristics, making the monitored path appear failed.

Why this answer

The passive firewall went non-functional after the switch replacement, suggesting that path monitoring (which tracks data plane connectivity) is misconfigured or the new switches cause the monitored path to appear down. The first step is to review path monitoring on both firewalls to ensure the AE interface to the new switches is correctly monitored. Checking HA2 (A) is less likely since it is dedicated and unchanged; checking logs (B) is a secondary step; rebooting (C) is disruptive and may not fix the root cause.

504
MCQeasy

A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?

A.Check the security policy rulebase order and matching
B.Verify the user-ID agent is mapping the IP correctly
C.Check the service configuration for the destination port
D.Check the NAT configuration for the user's subnet
AnswerA

The traffic might be matching a deny rule placed before the allow rule.

Why this answer

The first thing to verify is the security policy rulebase order and matching because Palo Alto Networks firewalls evaluate rules in a top-down order and apply the first matching rule. Even if a rule exists that allows traffic from subnet 10.1.1.0/24 to any, a preceding rule with a deny action or a more specific match could be blocking the traffic from 10.1.1.100. Checking rule order ensures that the intended allow rule is actually being hit before investigating other potential issues.

Exam trap

The trap here is that candidates often jump to NAT or service configuration issues, but the PCNSE exam emphasizes that rule order and first-match logic are the most common root cause of unexpected blocks, especially when a seemingly correct allow rule exists.

How to eliminate wrong answers

Option B is wrong because verifying the User-ID agent mapping is only relevant if the security policy uses user-based criteria (e.g., source user), but the rule in question is based on source IP (subnet 10.1.1.0/24), not user identity. Option C is wrong because checking the service configuration for the destination port is secondary; if the rule is not matched due to order, service configuration is irrelevant until the correct rule is identified. Option D is wrong because NAT configuration affects the translated IP address, not the pre-NAT source IP used for policy matching; the firewall applies security policy before NAT, so NAT issues would not cause the traffic to be blocked by a policy that matches the original source IP.

505
Multi-Selecthard

Which THREE are valid methods to provide redundancy for outbound internet traffic in a Palo Alto Networks firewall?

Select 3 answers
A.Active/Passive HA with floating IP
B.ECMP with equal cost routes
C.Policy Based Forwarding combined with path monitoring
D.Active/Passive HA with virtual router synchronization
E.Use of multiple public IPs with NAT rules
AnswersA, B, C

HA provides failover; the floating IP moves to the active firewall.

Why this answer

Active/Passive HA with floating IP (Option A) is valid because the passive firewall assumes the active firewall's IP address upon failover, ensuring outbound traffic continues via the same default gateway. ECMP with equal cost routes (Option B) distributes outbound traffic across multiple paths and provides redundancy by automatically failing over if one path is lost. Policy Based Forwarding combined with path monitoring (Option C) allows you to define forwarding policies based on traffic attributes and monitor path health, redirecting traffic if a monitored path fails.

Exam trap

The trap here is that candidates confuse virtual router synchronization (which only replicates routing tables) with actual failover mechanisms like floating IPs or path monitoring, assuming that synchronized routing alone provides redundancy for outbound traffic.

506
MCQmedium

An engineer checks the application counter and sees that my-custom-app has zero packets, but they expected traffic from 10.0.0.0/24 to 10.1.0.0/24 to be identified as my-custom-app. What is the most likely reason?

A.The traffic is being identified as ssl instead.
B.The application override rule does not have the correct port.
C.The security policy does not allow the traffic.
D.The custom application my-custom-app is not committed.
AnswerB

Correct: Without a port, the override rule does not trigger, and traffic is identified normally.

Why this answer

The application override rule does not specify a port or service. By default, app override rules require a port to match; without it, the rule fails to match, and traffic is identified by default signatures.

507
MCQmedium

A company recently deployed a Palo Alto Networks PA-5250 firewall in a data center. The firewall is configured with multiple virtual routers and is connected to an MPLS WAN router and an internet router. The network team reports that users can access internet resources but cannot reach a critical application hosted in a remote branch office over the MPLS link. The application uses TCP port 443 and is accessed via a fully qualified domain name (FQDN). The security policy includes a rule that allows traffic from the internal zone to the MPLS zone with the application 'ssl' and the destination address set to the FQDN of the application server. The internal DNS server resolves the FQDN correctly to the private IP address 10.20.30.40. The firewall has DNS proxy enabled, but the DNS server is configured as the internal DNS server. The administrator runs a packet capture and sees that the firewall is sending DNS queries for the FQDN to the internal DNS server but the response is not being used to update the dynamic address group (DAG) that is referenced in the security policy. The DAG is configured with a 'FQDN' match criteria. What is the most likely cause?

A.Configure a security policy rule to allow DNS traffic from the firewall to the internal DNS server
B.Change the security policy to use the IP address instead of the FQDN
C.Enable the 'Allow FQDN to be updated in DAG' option in the DNS Proxy object
D.Configure a static route for the FQDN's IP address pointing to the MPLS interface
AnswerC

This option must be enabled for the firewall to update DAGs based on DNS responses.

Why this answer

Option C is correct because the DNS Proxy object must have the 'Allow FQDN to be updated in DAG' option enabled for the firewall to use DNS responses to update the Dynamic Address Group (DAG) that matches on FQDN. Without this setting, the firewall sends DNS queries but ignores the responses for DAG updates, so the security policy rule referencing the DAG never matches the destination IP address (10.20.30.40), causing traffic to be dropped.

Exam trap

The trap here is that candidates assume DNS Proxy automatically updates DAGs when FQDN match criteria are used, but Palo Alto requires an explicit checkbox to enable this behavior, and many overlook it because they focus on the DNS query/response flow rather than the DAG update configuration.

How to eliminate wrong answers

Option A is wrong because DNS traffic from the firewall to the internal DNS server is already occurring (the packet capture shows queries being sent), so a separate security policy rule for DNS is not needed; the issue is that the responses are not being processed for DAG updates. Option B is wrong because using a static IP address would bypass the FQDN-based DAG mechanism entirely, but the question asks for the most likely cause of the current failure, not a workaround; the design intends to use FQDN for flexibility. Option D is wrong because a static route for the FQDN's IP address is irrelevant; the firewall already has routing via the virtual router connected to the MPLS interface, and the problem is policy matching, not routing.

508
Multi-Selecteasy

A systems administrator needs to configure log forwarding to an external syslog server for Security policies. Which two actions are required to achieve this? (Choose two.)

Select 2 answers
A.Create a syslog server profile under Device > Server Profiles > Syslog.
B.Create an SNMP trap profile under Device > Server Profiles > SNMP Trap.
C.Directly apply the syslog server profile to each Security policy rule.
D.Enable log forwarding under the firewall's Device > Setup > Logging and Reporting settings.
E.Create a Log Forwarding profile that references the syslog server profile and apply it to Security policy rules.
AnswersA, E

A syslog server profile is required to define the destination syslog server.

Why this answer

To forward logs to an external syslog server, you must first create a syslog server profile under Device > Server Profiles > Syslog (option A). Then, you need to create a Log Forwarding profile that references that server profile and apply it to the Security policy rules (option C). Options B, D, and E are incorrect because SNMP traps are for different purposes, you cannot apply a server profile directly to a rule, and there is no global log forwarding setting.

509
MCQmedium

An administrator wants to ensure that all traffic from the internal network to the internet uses a specific public IP address for source NAT. There are multiple public IP addresses available. What is the best way to achieve this?

A.Configure a NAT IP pool
B.Use a static NAT policy
C.Create a dynamic IP and port (DIPP) NAT policy with the specific IP as translated address
D.Use a PAT pool
AnswerC

DIPP NAT can use a specific public IP address for source NAT.

Why this answer

Option C is correct because a Dynamic IP and Port (DIPP) NAT policy allows you to specify a single translated address (the specific public IP) while still performing port address translation (PAT) to handle multiple internal sessions. This ensures all outbound traffic uses that exact public IP, unlike a pool which would distribute across multiple IPs. DIPP is the standard method for source NAT with a single IP when many internal hosts need concurrent internet access.

Exam trap

The trap here is confusing a NAT IP pool (which distributes traffic across multiple IPs) with a DIPP policy that uses a single IP, leading candidates to incorrectly select option A or D when the requirement is to use a specific single public IP.

How to eliminate wrong answers

Option A is wrong because a NAT IP pool distributes traffic across multiple public IPs, not guaranteeing a single specific IP for all traffic. Option B is wrong because static NAT is a one-to-one mapping between a private IP and a public IP, not suitable for many-to-one source NAT from an entire internal network. Option D is wrong because a PAT pool is a specific type of NAT IP pool that uses port translation but still distributes sessions across multiple IPs in the pool, failing to enforce a single public IP.

510
MCQeasy

An administrator configures a VPN tunnel between two Palo Alto firewalls. The tunnel shows as active, but traffic is not being encrypted. What configuration step is most likely missing?

A.The encryption algorithm must be set to null.
B.A NAT policy to translate private addresses.
C.A security policy allowing traffic from the tunnel interface to the destination.
D.The tunnel interface must be assigned to a security zone.
AnswerC

Correct. Without a policy, traffic is dropped.

Why this answer

Even if the tunnel is active, a security policy is required to allow traffic from the source to the destination zone; without it, packets are dropped before encryption.

511
MCQeasy

The traffic log shows a threat severity 'medium' and the threat log shows action 'allow' for the same session. What is the most likely reason that the threat was allowed?

A.The security policy rule that matched this traffic is configured to allow the threat.
B.The action 'allow' in the threat log is misleading; the traffic was actually blocked.
C.The threat was not detected by the firewall.
D.The threat log does not record blocked threats.
AnswerA

The profile for that rule likely has an 'allow' action for this threat.

Why this answer

The threat log shows action 'allow' because the security policy rule that matched the session is configured with an action of 'allow'. When a threat is detected but the security rule permits the traffic, the firewall still allows the session to pass, and the threat is logged with the action taken by the rule. This is a common scenario where the firewall's threat prevention profile is set to 'alert' rather than 'block', or the rule's action overrides the threat action.

Exam trap

The trap here is that candidates assume the threat log action reflects the threat prevention profile's action (e.g., block), but it actually reflects the security policy rule's action, leading them to incorrectly think the threat was not detected or that the log is misleading.

How to eliminate wrong answers

Option B is wrong because the threat log action 'allow' accurately reflects that the firewall permitted the traffic; it is not misleading, as the firewall logs the actual action taken. Option C is wrong because the threat log entry itself confirms that the threat was detected (severity 'medium' is recorded), so the threat was indeed detected. Option D is wrong because the threat log does record blocked threats; if a threat were blocked, the action would show 'block' or 'reset-both', not 'allow'.

512
Multi-Selecteasy

Which TWO actions should be taken when deploying a Palo Alto Networks firewall in a branch office to ensure secure and efficient operation? (Choose two.)

Select 2 answers
A.Enable Threat Prevention profiles to block known malware
B.Configure logging for all traffic to enable monitoring and troubleshooting
C.Leave the default admin password until the next audit
D.Use the default NAT policies provided by the initial configuration
E.Manually download dynamic updates daily to ensure latest signatures
AnswersA, B

Threat prevention is critical for security; without it, the firewall is not fully effective.

Why this answer

Enabling Threat Prevention profiles (A) is correct because it applies IPS signatures to block known malware, exploits, and vulnerabilities inline, which is essential for branch office security without requiring constant manual intervention. Configuring logging for all traffic (B) is correct because it provides visibility for monitoring, troubleshooting, and compliance, and is necessary for effective use of features like ACC and reporting.

Exam trap

The trap here is that candidates may think default NAT policies are acceptable for branch offices or that manual updates are more reliable, but the PCNSE exam emphasizes automation and security best practices, making options D and E incorrect due to their lack of scalability and security posture.

513
Multi-Selecthard

Based on the exhibit, which THREE conclusions can be drawn?

Select 3 answers
A.The session was matched by the security rule 'allow-ssl'.
B.The source NAT is not translating the source IP.
C.The traffic is using UDP protocol.
D.The session is in an active state.
E.The session is destined for a public IP address.
AnswersA, D, E

Both Policy ID and Rule show 'allow-ssl'.

Why this answer

Options A, C, and E are correct. The destination IP 203.0.113.50 is a public IP address (A). The session matched rule 'allow-ssl' (C).

The session state is ACTIVE (E). Option B is incorrect because the NAT source IP differs from the original source IP (10.10.1.100 -> 192.0.2.100), indicating source NAT is applied. Option D is incorrect because the protocol is TCP, not UDP.

514
MCQeasy

A company operates a pair of PA-3220 firewalls in an active/passive HA configuration. The passive firewall is experiencing intermittent HA keepalive failures, causing unnecessary failovers every few minutes. The network engineer checks the HA1 interface statistics and notices packet loss on the dedicated HA1 link. The engineer suspects a physical layer issue. However, the engineer also wants to reduce the sensitivity of the HA keepalive mechanism to tolerate occasional packet loss without triggering a failover. The firewalls are currently using default HA keepalive settings. What should the engineer do to reduce the frequency of false failovers without compromising the ability to detect a true failure?

A.Disable HA1 link monitoring and rely solely on path monitoring.
B.Change the HA mode to active/active to balance traffic and reduce load on the active unit.
C.Enable HA2 and configure it as a second heartbeat link for redundancy.
D.Increase the HA timer (keepalive interval) and increase the number of missed keepalives allowed.
AnswerD

This makes the HA detection less sensitive to sporadic packet loss while still recognizing persistent failure.

Why this answer

Increasing the keepalive interval (making it less frequent) and increasing the number of missed keepalives before declaring a failure allows the firewall to tolerate occasional packet loss, reducing false failovers. Option B would not address keepalive loss; C changes the HA mode but does not reduce sensitivity; D adds redundancy but does not reduce sensitivity; it might even add complexity.

515
MCQeasy

A company uses a Palo Alto Networks firewall with App-ID enabled. They have a custom application that communicates over TCP port 5001. The administrator has created a custom App-ID signature and a security rule that allows this application from the internal zone (trust) to the external zone (untrust). Users report that the custom application traffic is being blocked. The administrator checks the traffic logs and sees that the sessions are being matched to a different security rule that denies any traffic from trust to untrust. The deny rule appears before the custom allow rule in the policy list. The custom App-ID signature is properly defined and tested. What should the administrator do to resolve this issue?

A.Modify the custom App-ID signature to match more precisely.
B.Create an application override for the custom application.
C.Add a virtual wire interface to ensure traffic reaches the firewall.
D.Reorder the security rules so the custom allow rule is above the deny rule.
AnswerD

Placing the more specific allow rule before the broad deny rule ensures the traffic matches the correct rule.

Why this answer

Option D is correct because the deny rule is matching before the allow rule due to policy ordering. Reordering the rules to place the custom allow rule before the deny rule will allow the traffic. Option A is wrong because the custom signature is already correctly defined.

Option B is wrong because application override is not needed; the signature works. Option C is wrong because the traffic is reaching the firewall, as shown by the logs.

516
MCQeasy

Refer to the exhibit. Which configuration is required in the authentication profile 'SAML-Auth'?

A.SAML identity provider profile
B.LDAP server profile
C.RADIUS server
D.Kerberos realm
AnswerA

The authentication profile must include an IdP profile for SAML to work.

Why this answer

Option C is correct because a SAML authentication profile must reference a SAML identity provider profile that contains the IdP metadata. Option A is incorrect because LDAP server profile is for LDAP authentication. Option B is incorrect because Kerberos realm is for Kerberos.

Option D is incorrect because RADIUS server is for RADIUS.

Page 6

Page 7 of 7

All pages