CCNA Deploy and Configure Firewalls Questions

52 questions · Deploy and Configure Firewalls · All types, answers revealed

1
MCQeasy

A security administrator notices that traffic to a specific website is being denied. The traffic log shows that the application is 'ssl' and the action is 'deny' with the rule being 'Allow-SSL'. What is the most likely cause?

A.The destination IP is in a blacklist.
B.The security rule is placed too low in the rulebase.
C.The security rule 'Allow-SSL' has 'service' set to 'application-default' but the website uses port 8443.
D.The SSL certificate is expired.
AnswerC

Application-default restricts matching to the default port (443 for ssl), so port 8443 traffic does not match.

Why this answer

The security rule 'Allow-SSL' is configured with 'service' set to 'application-default', which means it only permits traffic on the default port for SSL (TCP 443). Since the website uses port 8443, the traffic is denied because the rule does not match the non-standard port. The firewall's application identification still correctly identifies the traffic as 'ssl', but the service constraint prevents the rule from applying, resulting in a deny action.

Exam trap

The trap here is that candidates assume the 'Allow-SSL' rule should match all SSL traffic regardless of port, but Cisco tests the nuance that 'application-default' restricts the rule to only the default port for that application, causing a deny on non-standard ports like 8443.

How to eliminate wrong answers

Option A is wrong because a blacklist would cause traffic to be denied by a different rule (e.g., a block rule based on IP), not by a rule named 'Allow-SSL' that is explicitly allowing SSL traffic. Option B is wrong because the rule is being matched (the log shows rule 'Allow-SSL'), so its position in the rulebase is irrelevant; the issue is that the rule's service condition is not satisfied. Option D is wrong because an expired SSL certificate would cause browser warnings or TLS handshake failures, but the firewall would still allow the traffic if the rule matches; the firewall does not validate certificate expiration at the rule enforcement level.

2
MCQmedium

Refer to the exhibit. An administrator is troubleshooting traffic from a host at 10.2.2.10 to a server at 10.3.3.10. The firewall has a security rule allowing the traffic. However, traffic is failing. Based on the routing table, what is the most likely cause?

A.The next hop 10.1.1.200 for the destination 10.3.3.0/24 is unreachable.
B.The destination network 10.3.3.0/24 is not in the routing table.
C.The source network 10.2.2.0/24 is not in the routing table.
D.The default route 0.0.0.0/0 is missing.
AnswerA

If next hop is down, traffic cannot be forwarded.

Why this answer

The routing table shows a route to 10.3.3.0/24 with next hop 10.1.1.200. If that next hop is unreachable (e.g., due to an ARP failure, interface down, or no route to the next hop itself), the firewall cannot forward the packet to the destination, even though a security rule permits the traffic. This is the most likely cause of the failure because the route exists but the next hop is not reachable.

Exam trap

The trap here is that candidates assume a missing route is the problem, but the question tests whether you recognize that a route can exist yet still fail if the next hop is unreachable.

How to eliminate wrong answers

Option B is wrong because the routing table explicitly shows the destination network 10.3.3.0/24, so it is present. Option C is wrong because the source network does not need to be in the routing table for forwarding; routing decisions are based on the destination IP, not the source. Option D is wrong because a default route is not required when a specific route to the destination (10.3.3.0/24) already exists; the firewall will use that specific route instead.

3
Matchingmedium

Match each type of route to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manually configured by administrator

Learned via link-state routing protocol

Learned via path-vector routing protocol

Directly attached network

Used when no specific route matches destination

Why these pairings

These route types are used in firewall routing tables.

4
MCQhard

In a Panorama-managed deployment, the device group has a rule called 'Allow-Web' that allows 'web-browsing'. The local firewall also has a rule with the same name and content. After Panorama pushes the device group configuration, what happens to the local rule?

A.Both rules are present; the device group rule takes precedence and the local rule is not installed.
B.The local rule is overwritten by the device group rule.
C.The local rule is deleted.
D.The rules are merged into a single rule.
AnswerA

Device group rules have higher priority and replace local rules at the same position.

Why this answer

In a Panorama-managed deployment, when a device group rule and a local firewall rule share the same name, Panorama does not overwrite or delete the local rule. Instead, the device group rule is installed and takes precedence, while the local rule remains on the firewall but is not active in the rulebase. This is because Panorama manages the device group configuration as a separate administrative domain, and local rules are preserved to allow for local override scenarios.

Exam trap

The trap here is that candidates often assume Panorama overwrites or merges local rules with device group rules, but in reality, Panorama preserves local rules and simply does not install them when a name conflict exists, testing the understanding of Panorama's non-destructive configuration management.

How to eliminate wrong answers

Option B is wrong because Panorama does not overwrite the local rule; the local rule remains intact but is not installed when a device group rule with the same name exists. Option C is wrong because the local rule is not deleted; it is preserved on the firewall for potential local use or rollback. Option D is wrong because the rules are not merged; Panorama enforces the device group rule as the active rule, and the local rule is simply not installed, maintaining separation between device group and local configurations.

5
MCQmedium

A company has deployed two PA-5250 firewalls in an active/passive high-availability pair. The passive firewall shows the status 'non-functional' after a reboot. The active firewall is still passing traffic. The administrator checks the HA configuration and sees that the preemptive setting is enabled on both firewalls. What is the most likely cause of the passive firewall showing 'non-functional'?

A.The preemptive setting is causing the passive firewall to remain in non-functional state until a failover occurs.
B.The HA2 keepalive timer has expired.
C.The management port (MGT) on the passive firewall is down or unplugged.
D.The hello interval on the passive firewall is set to a different value than on the active firewall.
AnswerC

A down MGT port breaks the HA1 control link, causing the firewall to show 'non-functional'.

Why this answer

The PA-5250 uses the MGT port for out-of-band management and, in some HA configurations, for HA1 control link connectivity. If the MGT port on the passive firewall is down or unplugged, the firewall cannot establish or maintain the HA1 heartbeat, causing it to report as 'non-functional' even though the active firewall continues to pass traffic. The preemptive setting only affects role negotiation after a failover, not the initial functional status after a reboot.

Exam trap

The trap here is that candidates often associate 'non-functional' with HA2 session synchronization issues or preemptive settings, but the correct cause is a failure of the HA1 control link, which in many Palo Alto HA designs relies on the MGT port being up and connected.

How to eliminate wrong answers

Option A is wrong because the preemptive setting controls whether a higher-priority firewall automatically reassumes the active role after recovering, not whether a firewall enters a 'non-functional' state after a reboot. Option B is wrong because the HA2 keepalive timer is used for session synchronization (HA2 link) and its expiration would cause a 'suspended' or 'passive-sync-failure' state, not a 'non-functional' status. Option D is wrong because mismatched hello intervals would cause intermittent HA1 heartbeat failures and potential split-brain scenarios, but the passive firewall would still show as 'passive' or 'active' rather than 'non-functional'.

6
MCQhard

An engineer is troubleshooting an inter-zone rule that should allow traffic from zone 'Trust' to zone 'Untrust'. The rule has a source address of 10.0.0.0/8 and destination address of any. The traffic is being denied. The engineer checks the log and sees the rule is not matched. What is the most likely reason?

A.The source address 10.0.0.0/8 is not included in the source zone.
B.The destination address is set to 'any', which is not valid.
C.The traffic is intra-zone, not inter-zone.
D.A rule with a 'deny' action appears earlier in the security policy.
AnswerD

If a deny rule matches before the allow rule, the traffic is denied.

Why this answer

The most likely reason the inter-zone rule is not matched is that a preceding rule with a 'deny' action is matching the traffic first. In Palo Alto Networks firewalls, security rules are evaluated in order from top to bottom, and the first matching rule determines the action. If an earlier rule denies the traffic, the later allow rule will never be evaluated, even if it would otherwise match.

Exam trap

The trap here is that candidates often assume the rule itself is misconfigured (e.g., source or destination issues) rather than recognizing that a higher-priority deny rule is preempting the intended allow rule.

How to eliminate wrong answers

Option A is wrong because the source address 10.0.0.0/8 is a prefix, not a zone; the source zone is 'Trust', and the rule's source address is independent of whether the address is included in the zone definition. Option B is wrong because 'any' is a valid destination address in a security rule, meaning all destinations are matched. Option C is wrong because the traffic is explicitly described as inter-zone (Trust to Untrust), and intra-zone traffic would involve the same zone, which is not the case here.

7
MCQeasy

A medium-sized enterprise recently deployed a PA-5250 firewall in a data center as the primary internet gateway. The network team configured the security policies to allow all outbound web traffic (HTTP/HTTPS) from the internal trust zone to the untrust zone, with URL filtering and threat prevention enabled. After the deployment, users complain that some legitimate websites, such as banking and healthcare portals, are being blocked. The team checks the URL filtering logs and sees that these sites are categorized as 'web-hosting' or 'dynamic-dns', which are in the block list. The company's compliance requires that all web traffic be inspected. What should the network engineer do to resolve the issue without reducing security?

A.Add the specific URLs to the 'Allow List' in the URL filtering profile
B.Set the URL filtering profile action for 'web-hosting' to 'alert' instead of 'block'
C.Create a URL category override for each legitimate site to reclassify it as 'business-economy' or 'health-medicine'
D.Remove the 'web-hosting' and 'dynamic-dns' categories from the block list
AnswerC

Override changes the category for specific URLs, so they are no longer blocked by the 'web-hosting' or 'dynamic-dns' categories, while still being subject to other security checks.

Why this answer

Option C is correct because URL category overrides allow you to reclassify specific URLs into a more appropriate category (e.g., 'health-medicine') without altering the global block action for 'web-hosting' or 'dynamic-dns'. This preserves the security posture by keeping the broad categories blocked for unknown or risky sites, while permitting the legitimate sites that were miscategorized by the Palo Alto Networks URL filtering database.

Exam trap

The trap here is that candidates often choose to add URLs to an allow list (Option A) without realizing that this bypasses all security inspections, failing the compliance requirement for full traffic inspection.

How to eliminate wrong answers

Option A is wrong because adding specific URLs to the 'Allow List' in the URL filtering profile would bypass all URL filtering and threat prevention for those URLs, violating the compliance requirement that all web traffic be inspected. Option B is wrong because setting the action for 'web-hosting' to 'alert' would allow all sites in that category, including potentially malicious ones, reducing security by permitting unvetted traffic. Option D is wrong because removing 'web-hosting' and 'dynamic-dns' from the block list would globally allow all sites in those categories, including malicious ones, which undermines the security policy and compliance requirements.

8
MCQeasy

What is the most likely reason the traffic from 192.168.1.100 to 203.0.113.50 is being denied?

A.The application 'ssl' is not allowed in any security rule.
B.The session ended with TCP FIN, causing the firewall to deny.
C.The destination IP is blacklisted.
D.The security rule 'default-deny' explicitly blocks this traffic.
AnswerA

The traffic matched the built-in default-deny rule because no user-defined rule allowed the application.

Why this answer

The traffic from 192.168.1.100 to 203.0.113.50 is denied because the application 'ssl' is not explicitly allowed in any security rule. Palo Alto Networks firewalls use App-ID to identify traffic by application, and if the application (e.g., SSL/TLS) is not permitted in a rule, the traffic is denied by default, even if the IP addresses and ports are otherwise allowed.

Exam trap

The trap here is that candidates assume a port-based rule (e.g., allowing TCP/443) is sufficient, but Palo Alto's App-ID requires the application itself to be explicitly allowed, not just the port.

How to eliminate wrong answers

Option B is wrong because a TCP FIN flag does not cause a firewall to deny traffic; it is part of a normal session teardown and would not result in a deny action. Option C is wrong because there is no indication in the question that the destination IP is blacklisted, and blacklisting is typically done via external feeds or manual entries, not implied by a simple deny. Option D is wrong because while a 'default-deny' rule exists at the end of the rulebase, the question asks for the 'most likely' reason, and the specific denial of SSL traffic points to an application-based restriction rather than a generic catch-all rule.

9
MCQhard

An administrator wants to ensure that all traffic from the 'Trust' zone to the 'Untrust' zone is inspected by WildFire. Which configuration is required?

A.Create a separate WildFire rule.
B.Enable WildFire on the security rule.
C.Configure a WildFire profile and attach it to the security rule.
D.Enable WildFire globally under Device > Setup.
AnswerC

A WildFire profile must be added to the security rule's profile section.

Why this answer

WildFire inspection is applied via a security rule using a WildFire Analysis profile. The profile defines the file types and verdict actions (e.g., alert, block) for files submitted to WildFire. Attaching this profile to the security rule that governs Trust-to-Untrust traffic ensures all matching traffic is inspected by WildFire.

Exam trap

The trap here is that candidates confuse WildFire's global registration settings (Device > Setup > WildFire) with the per-rule profile attachment required for actual traffic inspection, leading them to select the global enablement option.

How to eliminate wrong answers

Option A is wrong because WildFire does not use separate rules; it is a profile-based feature attached to security rules. Option B is wrong because there is no toggle to 'enable WildFire on the security rule' directly; you must configure and attach a WildFire Analysis profile. Option D is wrong because WildFire is not enabled globally under Device > Setup; global settings for WildFire are configured under Objects > WildFire Analysis Profiles or Device > WildFire, but the inspection itself requires profile attachment to a security rule.

10
MCQeasy

An administrator notices that URL filtering is not blocking a specific category as configured. What is the first troubleshooting step?

A.Verify the security policy order
B.Review the URL filtering profile
C.Check the URL filtering license
D.Check the PAN-DB version
AnswerA

If a policy with a different URL filtering profile matches first, the configuration may not be applied as intended.

Why this answer

The most common reason URL filtering fails to block a specific category is that a security policy with a lower priority (higher order number) is matching the traffic before the policy with the correct URL filtering profile. Since security policies are evaluated top-down, the first match is applied, and if an earlier policy allows the traffic without URL filtering, the configured block action is never reached. Therefore, verifying the security policy order is the first and most logical troubleshooting step.

Exam trap

Palo Alto Networks often tests the misconception that a misconfigured profile or license is the primary cause, when in reality the issue is almost always policy order and the first-match rule in security policy evaluation.

How to eliminate wrong answers

Option B is wrong because reviewing the URL filtering profile is a secondary step; the profile may be correctly configured but never applied if a higher-priority policy matches first. Option C is wrong because a missing or expired URL filtering license would typically prevent the firewall from performing any URL filtering at all, not cause a specific category to be unblocked while others work. Option D is wrong because checking the PAN-DB version is relevant when categories are missing or outdated, but it does not explain why a configured block action is not being enforced on traffic that is already matching a policy.

11
MCQhard

A company has deployed a Palo Alto Networks firewall in an active/passive high-availability (HA) pair. The firewall uses BGP for dynamic routing with two upstream ISPs to provide load-balanced internet connectivity. After an HA failover event, the network team notices that outbound traffic from internal hosts is now using only one of the two ISPs, even though BGP sessions are established on both firewalls and the passive firewall has learned the same routes as the active one. The security policy permits all outbound traffic. No changes were made to the BGP configuration. Which of the following is the most likely cause of this behavior, and what is the appropriate solution?

A.The firewall's asymmetric routing detection is dropping traffic; disable asymmetric routing enforcement.
B.The HA configuration has ECMP disabled; enable ECMP in the dataplane settings on the active firewall.
C.The BGP configuration on the passive firewall is not identical to the active one; apply the same BGP configuration to both.
D.The passive firewall is not advertising routes to the ISPs because HA state synchronization is not enabled; enable state synchronization.
AnswerB

ECMP allows the firewall to use multiple equal-cost routes for load balancing; it must be enabled.

Why this answer

Option C is correct because ECMP (Equal Cost Multi-Path) routing must be enabled on the active firewall to use multiple BGP-learned default routes for load balancing. After failover, if ECMP is disabled, only one best path is installed, causing traffic to use a single ISP. Option A is incorrect because state synchronization deals with session state, not routing decisions.

Option B is incorrect because the passive firewall's BGP configuration does not affect routing on the active firewall unless it becomes active. Option D is incorrect because asymmetric routing detection would affect return traffic, not the outbound path selection.

12
MCQhard

A firewall receives traffic with IP options enabled. How does the firewall handle this traffic by default?

A.It drops the traffic
B.It forwards the traffic normally
C.It logs and alerts
D.It strips the IP options and forwards
AnswerA

This is the default security behavior to prevent potential attacks using IP options.

Why this answer

By default, Palo Alto Networks firewalls drop traffic with IP options enabled because IP options can be used to bypass security controls or evade inspection. The firewall treats such packets as a potential security risk and discards them to prevent IP option-based attacks, such as source routing or timestamp manipulation.

Exam trap

The trap here is that candidates may assume the firewall forwards or strips IP options like a router, but Palo Alto Networks firewalls prioritize security by default and drop such packets to prevent IP option-based attacks.

How to eliminate wrong answers

Option B is wrong because forwarding traffic with IP options normally would allow potential evasion of security policies and is not the default behavior. Option C is wrong because while logging and alerting may be configured, the default action is to drop, not just log. Option D is wrong because stripping IP options and forwarding is not a default behavior; the firewall does not modify IP headers by default and instead drops the packet.

13
MCQmedium

Refer to the exhibit. A user in the trust zone attempts to access HTTPS to an external server. Which rule will match?

A.rule4
B.rule3
C.rule1
D.rule2
AnswerD

Rule2 allows SSL for anyone, so it matches the HTTPS traffic.

Why this answer

Rule2 is correct because it is the first rule in the security policy that matches the traffic from the trust zone (source zone trust) to the external server (destination zone untrust) for HTTPS (destination port 443). Palo Alto Networks firewalls evaluate rules in top-down order, and rule2 explicitly permits HTTPS traffic from trust to untrust, while rule1 only permits HTTP (port 80). Rule3 and rule4 do not match because they are either for different zones or deny the traffic.

Exam trap

Palo Alto Networks often tests the first-match rule evaluation order, where candidates mistakenly think a deny rule later in the policy (rule4) will block traffic, forgetting that a preceding permit rule (rule2) already matched and allowed the session.

How to eliminate wrong answers

Option A is wrong because rule4 denies all traffic from trust to untrust, but since rule2 matches first and permits the HTTPS traffic, rule4 is never evaluated. Option B is wrong because rule3 applies to traffic from the DMZ zone, not the trust zone, so it does not match the user's traffic. Option C is wrong because rule1 only permits HTTP (port 80), not HTTPS (port 443), so it does not match the HTTPS request.

14
MCQeasy

A firewall's management interface becomes unresponsive. The administrator can still ping the management IP. What is the most likely cause?

A.Management interface IP conflict
B.CPU overload
C.HTTP/HTTPS service disabled
D.Management profile misconfiguration
AnswerC

If the HTTPS service is disabled, the web UI will be unreachable, but ICMP (ping) can still respond if allowed.

Why this answer

When the management interface is unresponsive to HTTPS/SSH but still responds to ICMP (ping), it typically indicates that the management services (HTTP/HTTPS) are disabled on the interface. Ping operates at the network layer (ICMP) and does not require the management daemon to be running, while HTTPS requires the web server process to be enabled and bound to the management interface. This is a common misconfiguration in Palo Alto Networks firewalls where the 'HTTP' or 'HTTPS' service is unchecked under the Management Interface Settings.

Exam trap

The trap here is that candidates assume any unresponsive management interface must be a network or resource issue, overlooking that ICMP and management services use separate processes, so ping success does not guarantee management service availability.

How to eliminate wrong answers

Option A is wrong because an IP conflict would cause intermittent connectivity or complete failure for all traffic, including ICMP, due to ARP instability; ping would not reliably succeed. Option B is wrong because CPU overload would affect all processes, including ICMP response handling, making ping also fail or become highly latent. Option D is wrong because a management profile misconfiguration affects which source IPs or interfaces can access management services, but it does not disable the HTTP/HTTPS service itself; the service would still be listening but may reject connections based on the profile.

15
MCQeasy

A company has a pair of Palo Alto Networks firewalls in active/passive HA. The active firewall manages all traffic. Recently, the network team reconfigured the virtual router by adding a new static route to a remote subnet via a next-hop IP on the same interface. After committing, they noticed that the passive firewall's management IP became unreachable. The active firewall continues to pass traffic normally. What is the most likely cause?

A.The passive firewall has lost its management route
B.The HA link is down
C.The static route is causing a routing loop
D.The virtual router configuration is not synchronized to the passive peer
AnswerA

The new static route added in the virtual router likely overwrote the default route or specifically the management subnet route, making the management IP unreachable on the passive firewall.

Why this answer

In an active/passive HA pair, the passive firewall synchronizes its configuration from the active firewall, including virtual router settings. However, management IP reachability depends on the management network's routing table, which is separate from the dataplane virtual router. Adding a static route to the virtual router does not automatically add a corresponding management route.

The passive firewall's management IP became unreachable because it lost its default gateway or specific management route, likely due to a misconfiguration or failure to synchronize the management plane's routing information, which is not part of the HA config sync.

Exam trap

The trap here is that candidates assume all routing configurations, including management routes, are synchronized in HA, but Palo Alto Networks separates management plane routing from dataplane virtual routers, and only the dataplane config is synced.

How to eliminate wrong answers

Option B is wrong because if the HA link were down, the passive firewall would transition to active state or show HA link failure, but the scenario states the passive firewall's management IP is unreachable while the active firewall continues to pass traffic normally, indicating the HA link is likely operational. Option C is wrong because a routing loop would cause traffic disruption for the active firewall as well, but the active firewall continues to pass traffic normally, and a static route to a remote subnet via a next-hop on the same interface does not inherently create a loop unless there is a conflicting route. Option D is wrong because virtual router configuration is synchronized to the passive peer as part of the HA config sync; the passive firewall would have the same static route, but the issue is specifically with the management IP reachability, which is governed by the management plane's routing table, not the dataplane virtual router.

16
MCQmedium

An administrator adds a new security rule to allow outbound 'web-browsing' and 'ssl' traffic. After committing, users report that some HTTPS sites are still blocked. Traffic logs show that the traffic matches the new rule but is denied. What is the most likely cause?

A.The service 'application-default' does not match the port used by the site.
B.A decryption policy is required for HTTPS traffic.
C.The application filter does not include 'ssl'.
D.The rule is placed too low in the rulebase.
AnswerA

Application-default restricts matching to the standard port for the application, so sites on non-standard ports do not match.

Why this answer

The correct answer is A because when a security rule uses the 'application-default' service, the firewall only allows traffic that matches the default port for the specified application. For 'web-browsing' (HTTP), the default port is TCP 80, and for 'ssl' (HTTPS), the default port is TCP 443. If an HTTPS site uses a non-standard port (e.g., TCP 8443), the traffic matches the rule based on the application but is denied because the service 'application-default' does not recognize that port as valid for the application.

Exam trap

The trap here is that candidates often assume 'application-default' allows any port for the application, when in reality it strictly enforces the default port, causing denial for HTTPS on non-standard ports.

How to eliminate wrong answers

Option B is wrong because a decryption policy is not required for HTTPS traffic to be allowed; decryption is optional and used for inspection, not for basic forwarding. Option C is wrong because the application filter does not need to include 'ssl' separately; the rule already specifies 'ssl' as an application, and the issue is with the service, not the application filter. Option D is wrong because the traffic logs show the traffic matches the new rule, indicating the rule is being evaluated and matched; placement lower in the rulebase would cause a different rule to match first, not a match with denial.

17
MCQmedium

A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?

A.The HA1 link is down or misconfigured.
B.The HA2 link is being used for management traffic.
C.The preemptive setting is enabled on both firewalls.
D.The HA2 link is down or misconfigured.
AnswerD

HA2 is required for session synchronization; if it fails, the active firewall reports non-functional.

Why this answer

In active/passive HA, the HA2 link is used for session synchronization and state propagation. If the HA2 link is down or misconfigured, the active firewall cannot synchronize session state to the passive unit, causing it to report 'non-functional' even though the passive unit sees itself as 'passive'. The HA1 link handles heartbeats and configuration sync, which may still be operational, but without a functional HA2 link, the HA pair cannot maintain proper state synchronization, leading to the active firewall's non-functional state.

Exam trap

The trap here is that candidates often assume the HA1 link is the critical path for all HA functionality, but in active/passive mode, the HA2 link is essential for session state synchronization, and its failure causes the active firewall to report 'non-functional' even if HA1 is operational.

How to eliminate wrong answers

Option A is wrong because the HA1 link being down or misconfigured would typically cause both firewalls to show 'non-functional' or 'active/active' issues, not a scenario where the passive shows 'passive' while the active shows 'non-functional'; HA1 is primarily for heartbeat and configuration sync, not session state. Option B is wrong because using the HA2 link for management traffic would cause a configuration conflict or link type mismatch, but the HA2 link is specifically designated for state synchronization and should not be used for management; this would not directly cause the active firewall to show 'non-functional' as described. Option C is wrong because preemptive setting controls whether a passive firewall can become active when it has higher priority, but it does not affect the HA state display of 'non-functional'; preemption is about failback behavior, not link health or state synchronization.

18
MCQhard

A company uses a custom application definition for a proprietary application that runs on UDP port 12345. The security rule allowing the application is configured, but traffic logs show the application as 'unknown' instead of matching the custom app. What is the most likely cause?

A.The custom application signature is not associated with the security rule.
B.The firewall is running in L2 mode.
C.The traffic is not matching the app's protocol or port in the signature.
D.The application timeout is too short.
AnswerC

If the actual traffic uses a different port or protocol than defined, App-ID will not match.

Why this answer

Option C is correct because the custom application definition specifies UDP port 12345, but if the actual traffic uses a different port or does not match the protocol (UDP) defined in the signature, the firewall will classify it as 'unknown'. The security rule allows the application, but the traffic must first be identified by the App-ID engine based on the signature's protocol and port criteria; a mismatch here prevents proper classification.

Exam trap

The trap here is that candidates assume a security rule referencing a custom application will automatically classify all traffic on that rule as the application, but App-ID requires the traffic to match the signature's protocol and port criteria first.

How to eliminate wrong answers

Option A is wrong because custom application signatures are automatically associated with the security rule when the rule references the application; no separate association step is needed. Option B is wrong because L2 mode does not affect App-ID classification; the firewall still performs application identification regardless of the deployment mode. Option D is wrong because the application timeout controls how long a session remains active after traffic stops, not whether the traffic is initially identified as the custom application.

19
Multi-Selecteasy

Which TWO statements are true about Palo Alto Networks firewall management access?

Select 2 answers
A.Management profiles control access to the firewall
B.HTTPS is enabled by default on all interfaces
C.Management access can be allowed from any zone
D.The management interface can be configured for MGT port only
E.SSH access is always enabled
AnswersA, C

Management profiles define allowed services and source IPs for management access.

Why this answer

Option A is correct because management profiles are the mechanism that controls which services (e.g., HTTPS, SSH, ping) are permitted on a given interface for management access. Without an applied management profile, no management services are allowed on that interface, even if the service is globally enabled.

Exam trap

The trap here is that candidates often assume the MGT port is the only interface that can be used for management, but Palo Alto Networks allows any interface to be configured for management access via management profiles.

20
Multi-Selecthard

Which THREE of the following are mandatory components for GlobalProtect client connectivity?

Select 3 answers
A.Authentication profile.
B.Client certificate.
C.DNS suffix.
D.Gateway configuration.
E.Portal configuration.
AnswersA, D, E

Users must be authenticated to connect.

Why this answer

The GlobalProtect portal and gateway are the two fundamental server-side components required for client connectivity. The portal provides the initial configuration, including gateway lists and client settings, while the gateway terminates the VPN tunnel and enforces security policies. An authentication profile is mandatory because the portal must verify the user's identity before the client can download the portal configuration and subsequently connect to a gateway.

Exam trap

The trap here is that candidates often confuse optional features like client certificates or DNS suffixes with mandatory components, but the exam specifically tests that only the portal, gateway, and authentication profile are required for the client to establish connectivity.

21
MCQmedium

A firewall is configured with two ISPs for load balancing. Traffic from certain sources should always egress via ISP-1. What is the correct configuration?

A.Multiple virtual routers
B.ECMP with route metrics
C.Policy-based forwarding (PBF) with source criteria
D.Subinterfaces per ISP
AnswerC

PBF can match source IP and forward to a specific next hop.

Why this answer

Policy-based forwarding (PBF) allows you to override the routing table for specific traffic based on criteria such as source IP, destination IP, or application. By configuring a PBF rule with source criteria, you can force traffic from certain sources to always egress via ISP-1, regardless of the load-balancing configuration. This is the correct method for source-based path selection in a multi-ISP setup.

Exam trap

The trap here is that candidates often confuse ECMP load balancing with source-based path selection, assuming that route metrics or multiple virtual routers can achieve deterministic egress control, when in fact only PBF provides the necessary policy override for specific source traffic.

How to eliminate wrong answers

Option A is wrong because multiple virtual routers are used to maintain separate routing tables for different network segments or administrative domains, not to selectively forward traffic from specific sources to a particular ISP. Option B is wrong because ECMP with route metrics distributes traffic across multiple equal-cost paths based on a hash algorithm (e.g., source-destination IP), but it cannot guarantee that traffic from specific sources always uses ISP-1; it is designed for load balancing, not deterministic source-based routing. Option D is wrong because subinterfaces per ISP are used to segment traffic at Layer 2 or for VLAN tagging, not to enforce egress path selection based on source criteria; they do not influence the routing decision.

22
MCQmedium

An administrator configures a firewall with two virtual routers: VR1 and VR2. VR1 connects to the corporate network and VR2 to an ISP. The administrator creates a static route in VR1 to reach the internet via a next hop of 10.0.0.1, but traffic from VR1 to the internet fails. What is the most likely cause?

A.The static route in VR1 does not point to an interface or next hop that is reachable via VR2.
B.The firewall does not support multiple virtual routers.
C.The virtual routers are not connected to each other.
D.NAT is not configured on VR2.
AnswerA

Without route redistribution, VR1 cannot use VR2's routes.

Why this answer

Virtual routers in Palo Alto Networks firewalls are isolated routing tables; traffic in VR1 cannot reach VR2 unless there is a route leaking or redistribution policy configured. The static route in VR1 points to 10.0.0.1, which is a next-hop IP that exists only in VR2’s routing table (the ISP-facing side). Since VR1 has no direct path or inter-virtual-router connection to reach that next hop, the route is considered unreachable and will not be installed in the forwarding table, causing the failure.

Exam trap

The trap here is that candidates assume virtual routers are interconnected by default, similar to VLANs, but in Palo Alto firewalls they are fully isolated routing instances that require explicit route sharing to pass traffic between them.

How to eliminate wrong answers

Option B is wrong because Palo Alto Networks firewalls fully support multiple virtual routers (up to 25 on most models), enabling segmentation of routing domains. Option C is wrong because virtual routers are not physically connected; they are logical constructs within the same data plane, and traffic between them requires explicit route leaking or redistribution, not a direct link. Option D is wrong because NAT is not required for routing between virtual routers; the failure occurs at the routing level before any NAT processing would apply.

23
MCQmedium

Which of the following is NOT a valid method to identify users for User-ID on a Palo Alto Networks firewall?

A.XML API
B.LDAP sync
C.Terminal Services Agent (TS Agent)
D.Captive Portal
AnswerA

The XML API is used for configuration and data retrieval, not for user identification.

Why this answer

The XML API is not a method for identifying users for User-ID; it is a management interface used to configure, monitor, and retrieve data from the firewall programmatically. User-ID relies on mechanisms that actively map IP addresses to usernames, such as LDAP sync, Terminal Services Agent, and Captive Portal, none of which involve the XML API.

Exam trap

The trap here is that candidates may confuse the XML API's ability to retrieve user information (via the User-ID API) with being a direct identification method, but the XML API itself does not perform the identification—it only exposes data already collected by other User-ID agents.

How to eliminate wrong answers

Option A is wrong because the XML API is a management and automation interface, not a user identification method; it cannot perform real-time IP-to-username mapping. Option B is wrong because LDAP sync is a valid User-ID method that periodically queries an LDAP directory to correlate user logon events with IP addresses. Option C is wrong because the Terminal Services Agent (TS Agent) is a valid User-ID method that monitors terminal server sessions to map users to IPs.

Option D is wrong because Captive Portal is a valid User-ID method that authenticates users via a web portal and directly associates their IP with their username.

24
MCQeasy

A company needs to provide internet access to 500 internal users using a single public IP address. Which NAT method should be configured?

A.Dynamic NAT (1:1 pool)
B.Static NAT (1:1)
C.Destination NAT
D.Source NAT with IP and port translation (PAT)
AnswerD

PAT enables many internal IPs to share a single public IP via port multiplexing.

Why this answer

Source NAT with IP and port translation (PAT) allows 500 internal users to share a single public IP address by translating each private source IP:port combination to the public IP with a unique source port. This conserves public IPv4 addresses and is the standard method for large-scale internet access from a private network.

Exam trap

The trap here is that candidates confuse Dynamic NAT (which still requires a pool of public IPs) with PAT, assuming any 'dynamic' method can share a single IP, but only PAT performs port-level multiplexing to achieve this.

How to eliminate wrong answers

Option A is wrong because Dynamic NAT (1:1 pool) maps each internal IP to a unique public IP from a pool, requiring at least 500 public IPs, not a single one. Option B is wrong because Static NAT (1:1) provides a fixed one-to-one mapping between a private IP and a public IP, which also requires a public IP per user and does not scale. Option C is wrong because Destination NAT translates the destination IP/port of inbound traffic, not the source address of outbound traffic, and thus cannot provide internet access for internal users.

25
MCQhard

The source NAT rule 'SNAT-Outside' is configured to translate traffic from 10.0.0.0/8 to the interface address of ethernet1/1. However, traffic from 10.1.1.1 to the internet is not being translated. What is the most likely reason?

A.The 'interface-address' option requires a specific translated address.
B.The rule is missing a 'from' zone specification.
C.The rule should be under 'destination-nat' instead of 'source-nat'.
D.The 'to-interface' should be 'any'.
AnswerB

Source NAT rules must include the source zone to determine when to translate.

Why this answer

Option B is correct because a source NAT rule in PAN-OS requires a 'from' zone specification to match traffic. Without it, the rule does not know which zone the traffic originates from, so it will not be applied. In this case, the traffic from 10.1.1.1 to the internet likely originates from a zone (e.g., 'trust') that is not specified in the rule, causing the translation to fail.

Exam trap

The trap here is that candidates often assume source NAT rules only need a source IP range and an egress interface, overlooking the mandatory 'from' zone specification that PAN-OS requires for rule matching.

How to eliminate wrong answers

Option A is wrong because the 'interface-address' option does not require a specific translated address; it dynamically uses the IP address of the egress interface (ethernet1/1) as the translated source address, which is valid. Option C is wrong because the scenario describes source NAT (translating source IP of outbound traffic), not destination NAT (which translates destination IP of inbound traffic), so placing it under 'destination-nat' would be incorrect. Option D is wrong because setting 'to-interface' to 'any' would not fix the missing 'from' zone; the 'to-interface' specifies the egress interface for the translated traffic, and ethernet1/1 is appropriate for internet-bound traffic.

26
MCQmedium

Refer to the exhibit. A user in the 10.0.0.0/8 network is unable to access a web server at 172.16.1.10 which is in the DMZ zone. The firewall's security policy is shown. What is the most likely reason for the failure?

A.The source IP range 10.0.0.0/8 is misconfigured.
B.The policy specifies the 'untrust' zone instead of the 'dmz' zone.
C.The policy is missing a 'permit' action.
D.The application 'web-browsing' is not the correct application for the traffic.
AnswerB

The traffic to the DMZ server must match a policy with destination zone 'dmz'.

Why this answer

Option B is correct because the policy's destination zone is 'untrust', but the server is in the 'dmz' zone, so the traffic does not match this policy. Option A is incorrect because web-browsing is a valid application for HTTP traffic. Option C is incorrect because the source range is broad enough to include the user.

Option D is incorrect because the action is 'allow'.

27
MCQmedium

A company uses User-ID to map users to IPs. Some users report that their traffic is being blocked even though they are in the correct user group for access. The security policy uses user-based conditions. What is a likely cause?

A.The security policy order is incorrect
B.The firewall is not configured to use the User-ID agent
C.The User-ID agent is not running
D.The user's IP is not in the User-ID mapping table
AnswerD

Without a mapping, the policy cannot match the user, so traffic may be blocked by a default deny rule.

Why this answer

When a security policy uses user-based conditions, the firewall must have a valid User-ID mapping for the user's IP address to enforce the rule. If the user's IP is not in the User-ID mapping table, the firewall cannot associate the traffic with a user group, and it will either match a default deny rule or fail to match the intended allow rule, resulting in blocked traffic. This is the most direct cause given that the user group assignment is correct but the mapping is missing.

Exam trap

The trap here is that candidates often assume the issue is with the User-ID agent's configuration or status, but the question specifies that some users are affected, pointing to a per-user mapping gap rather than a global agent failure.

How to eliminate wrong answers

Option A is wrong because security policy order affects which rule matches first, but if the correct user-based rule exists and the user's IP is unmapped, the rule will not match regardless of order. Option B is wrong because if the firewall were not configured to use the User-ID agent, no user mappings would exist at all, but the issue is specific to some users, implying the agent is configured. Option C is wrong because if the User-ID agent were not running, no mappings would be populated for any user, but the problem is isolated to certain users, indicating the agent is operational.

28
Multi-Selecteasy

Which TWO of the following are prerequisites for configuring User-ID on an interface?

Select 2 answers
A.The firewall must be in FIPS mode.
B.The interface must be in a zone.
C.A User-ID agent must be installed.
D.User-ID must be enabled on the zone.
E.An authentication profile must be configured.
AnswersC, D

A User-ID agent (or other method) is required to provide user-to-IP mapping data.

Why this answer

Option C is correct because a User-ID agent (or the built-in User-ID service on the firewall) is required to map IP addresses to usernames. Without an agent—such as the PAN-OS User-ID Agent, Terminal Services Agent, or GlobalProtect—the firewall cannot collect user mapping data from directory services (e.g., Active Directory) or authentication logs. Option D is correct because User-ID must be explicitly enabled on the zone; if the zone does not have User-ID enabled, the firewall will not perform user mapping for traffic traversing that zone, even if the interface is configured correctly.

Exam trap

The trap here is that candidates often assume an interface must be in a zone (Option B) is a direct prerequisite for User-ID, but the actual requirement is that User-ID must be enabled on the zone, not just that the interface belongs to one.

29
Drag & Dropmedium

Order the steps to configure an IPsec VPN tunnel between two Palo Alto firewalls.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VPN setup requires IKE gateway, crypto profile, tunnel interface, and policies.

30
Multi-Selectmedium

Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

Select 2 answers
A.Two physical or subinterfaces assigned to the vwire.
B.A management profile must be applied to the vwire.
C.A zone must be assigned to the vwire.
D.The interfaces must be of type 'aggregate'.
E.No IP addresses configured on the interfaces used in the vwire.
AnswersA, E

A vwire requires exactly two interfaces.

Why this answer

Option A is correct because a virtual wire (vwire) requires exactly two interfaces to function as a transparent bridge between two network segments. These interfaces can be physical or subinterfaces, and they must be assigned to the vwire to pass traffic without Layer 3 processing. Without two interfaces, the vwire cannot forward frames between the connected devices.

Exam trap

The trap here is that candidates often assume a vwire needs a zone or management profile because they confuse it with a Layer 3 interface, but Palo Alto vwires are purely Layer 2 constructs that require only two interfaces and no IP addresses.

31
MCQhard

Refer to the exhibit. An administrator has configured this decryption policy but users in the 10.1.1.0/24 subnet receive certificate warnings when accessing HTTPS sites. What is the most likely cause?

A.The rule should be at the top of the rulebase
B.The destination address should be specific
C.The application should be web-browsing
D.The decryption certificate is not trusted by clients
AnswerD

Clients must trust the firewall's CA certificate for seamless decryption; otherwise, certificate warnings appear.

Why this answer

Option D is correct because certificate warnings occur when the decryption certificate used by the firewall is not trusted by the client machines. In a forward proxy decryption scenario, the firewall generates a new certificate on-the-fly for each HTTPS session, and if that certificate is not installed in the client's trusted root store, the browser will display a security warning. This is the most common cause of certificate warnings in decryption deployments.

Exam trap

Palo Alto Networks often tests the distinction between rule configuration issues (like order or application matching) and certificate trust issues, leading candidates to focus on policy settings rather than the fundamental requirement that clients must trust the decryption CA.

How to eliminate wrong answers

Option A is wrong because rule order affects which rule matches traffic, but moving the rule to the top would not resolve certificate trust issues; the warning is caused by the certificate itself, not by rule precedence. Option B is wrong because making the destination address more specific would only narrow the scope of decryption, but the certificate warning would still occur for any traffic that matches the rule if the certificate is not trusted. Option C is wrong because the application 'web-browsing' is typically used for HTTP/HTTPS traffic, but the decryption policy already uses 'ssl' as the service, which correctly identifies HTTPS traffic; changing the application would not address the certificate trust problem.

32
MCQmedium

In an Active/Passive HA pair, which statement is true regarding configuration synchronization?

A.Configuration is not synced automatically; the administrator must export and import.
B.Only committed changes on the active are synced to the passive.
C.All configuration changes on the active peer are automatically synced to the passive.
D.The passive peer initiates the sync.
AnswerB

Configuration is synced after a commit operation.

Why this answer

In an Active/Passive HA pair, configuration synchronization occurs only after changes are committed on the active firewall. The passive peer then receives the committed configuration via the HA control link (using TCP port 2928 by default). This ensures that only validated, committed changes are propagated, preventing the passive from receiving uncommitted or partial configurations that could cause instability.

Exam trap

The trap here is that candidates often assume all configuration changes (including uncommitted candidate changes) are synced in real time, but Palo Alto Networks only syncs committed configurations to maintain consistency and prevent partial or broken configurations from being applied to the passive peer.

How to eliminate wrong answers

Option A is wrong because configuration synchronization in Active/Passive HA is automatic after a commit on the active peer, not requiring manual export/import. Option C is wrong because not all changes are synced automatically; only committed changes are synced—uncommitted changes (e.g., pending candidate config) are not propagated to the passive. Option D is wrong because the active peer initiates the sync after a commit, not the passive; the passive passively receives the configuration updates.

33
MCQhard

A network engineer is deploying a new firewall to inspect traffic between two VLANs. The requirement is to block all traffic except HTTP and HTTPS from the internal network to a specific web server in the DMZ. The engineer applies a security policy with the following configuration: source zone Internal, destination zone DMZ, source address internal_subnet, destination address web_server, application set to 'web-browsing' and 'ssl', and action set to 'allow'. However, users report that they cannot access the web server. Which change must be made to the policy to resolve the issue?

A.Add the service objects for HTTP (tcp/80) and HTTPS (tcp/443) to the rule
B.Configure source NAT on the internal zone
C.Create a separate rule for HTTP and another for HTTPS
D.Move the security policy rule to a higher priority in the rulebase
AnswerA

While applications are defined, the firewall may need explicit service binding to ensure the traffic matches; in some scenarios, the application set alone may not be enough if the web server uses non-standard ports or if the application is not fully decoded.

Why this answer

The policy allows traffic based on application signatures ('web-browsing' and 'ssl'), but the firewall must also match the service (TCP ports 80 and 443) to correctly identify and permit the traffic. Without explicit service objects, the firewall may not properly associate the application traffic with the allowed ports, causing the traffic to be blocked. Adding service objects for HTTP and HTTPS ensures the policy matches both the application and the expected ports, resolving the access issue.

Exam trap

The trap here is that candidates assume application-based policies automatically permit traffic on the standard ports for those applications, but Palo Alto firewalls require explicit service objects to match the transport layer ports, even when using App-ID.

How to eliminate wrong answers

Option B is wrong because source NAT is not required for traffic between VLANs within the same firewall; it is used to translate private IPs to routable addresses for external networks, not to permit traffic. Option C is wrong because a single rule can contain multiple applications (web-browsing and ssl) and services; separate rules are unnecessary and would not fix the underlying issue of missing service objects. Option D is wrong because rule priority affects order of evaluation but does not change the fact that the policy lacks the required service objects; moving it higher would not make the traffic match if the service condition is missing.

34
Multi-Selecteasy

Which TWO of the following are required to configure a Palo Alto Networks firewall for centralized management by Panorama?

Select 2 answers
A.Configure a pre-shared key for authentication.
B.Ensure the management interface IP is reachable from Panorama.
C.Enable the XML API on the firewall.
D.Add the firewall's serial number to Panorama.
E.Define a device group in Panorama.
AnswersB, D

Panorama needs IP connectivity to the firewall's management interface.

Why this answer

Option A is correct because the firewall's serial number must be added to Panorama for identification. Option B is correct because the management interface must be reachable from Panorama to establish communication. Option C is not required; XML API is not necessary for basic management.

Option D is not required; a shared secret is not mandatory (certificate or pre-shared key can be used but not required). Option E is not required; a device group is used for grouping but not a prerequisite for management.

35
MCQmedium

A global company uses a pair of PAN-220 firewalls in an active/passive HA configuration at its headquarters. The firewalls have multiple virtual routers and dozens of zones. Recently, a network upgrade changed the physical topology: a new switch was placed between the firewalls and the ISP routers. After the upgrade, the passive firewall continuously shows 'suspended' state. The HA control link (HA1) and data link (HA2) are on separate dedicated interfaces. The Active firewall logs show: 'HA monitor peer unreachable' every few seconds. The engineer has verified IP connectivity between the HA interfaces using ping from the active to the passive HA1 IP. What is the most likely cause of the HA state issue?

A.The HA2 link is misconfigured or unplugged
B.The new switch introduces latency or jitter that exceeds the HA keepalive timeout
C.The session table on the active firewall is full, preventing HA keepalives
D.The HA1 encryption setting is mismatched between the two firewalls
AnswerB

HA keepalives are time-sensitive; a switch can add latency that makes the passive appear dead, even if basic connectivity exists.

Why this answer

The 'HA monitor peer unreachable' log combined with a 'suspended' passive firewall, despite confirmed IP connectivity on HA1, points to a failure in the HA keepalive mechanism. The new switch introduces latency or jitter that causes keepalive packets to arrive outside the default 2-second hello interval and 8-second dead-interval, triggering the active firewall to declare the peer unreachable. This is a classic issue when a switch is inserted into the HA path without adjusting the HA keepalive timers or ensuring the switch provides low-latency forwarding.

Exam trap

The trap here is that candidates assume ping success between HA interfaces guarantees HA keepalive success, but HA keepalives are more sensitive to jitter and latency than ICMP, and the 'suspended' state specifically indicates a keepalive timeout rather than a link or encryption failure.

How to eliminate wrong answers

Option A is wrong because the HA2 link is dedicated to session synchronization and state propagation, not keepalive monitoring; a misconfigured or unplugged HA2 would cause session sync failures but not the 'HA monitor peer unreachable' log or a 'suspended' state. Option C is wrong because a full session table on the active firewall would cause new session drops, not prevent HA keepalives, which are control-plane packets handled by the management plane and not subject to session table limits. Option D is wrong because an HA1 encryption mismatch would prevent the HA control link from establishing at all, resulting in a 'non-functional' or 'down' state, not a 'suspended' state with intermittent 'peer unreachable' logs.

36
MCQmedium

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. After a recent maintenance window, the passive firewall fails to synchronize its configuration from the active. The active firewall shows the HA1 link as down. Which two configuration settings must be verified to resolve this issue?

A.Verify that the HA2 link is configured and operational
B.Ensure that both firewalls have the same session setup mode (e.g., active-active vs active-passive)
C.Check that HA1 encryption is enabled on both devices
D.Verify the HA1 IP address and port settings, and confirm that the HA keepalive timer is identical on both peers
AnswerD

The HA1 link status depends on correct IP/port configuration and matching keepalive timers; mismatches can cause link down and sync failure.

Why this answer

The HA1 link is used for control-plane communication, including configuration synchronization and heartbeats. If the active firewall shows the HA1 link as down, the most likely cause is a mismatch in the HA1 IP address, port settings, or the HA keepalive timer between the two peers. Verifying and correcting these settings ensures the HA1 link can establish and maintain connectivity, allowing the passive firewall to synchronize its configuration.

Exam trap

The trap here is that candidates often confuse the roles of HA1 and HA2 links, assuming HA2 is required for configuration sync, or they assume HA1 encryption is mandatory for the link to be operational.

How to eliminate wrong answers

Option A is wrong because the HA2 link is used for session and state synchronization, not for configuration synchronization or heartbeat; a down HA2 link would not prevent configuration sync. Option B is wrong because the session setup mode (active-active vs active-passive) is a separate configuration that affects session ownership and forwarding, not the HA1 control link or configuration synchronization. Option C is wrong because HA1 encryption is optional and not required for basic HA1 link operation or configuration sync; enabling it would not resolve a link-down issue caused by IP/port or timer mismatches.

37
MCQeasy

By default, what is the action on traffic between two different zones without any security rule?

A.deny
B.allow
C.depends on the application
D.prompt
AnswerA

By default, traffic between different zones is denied unless a security rule allows it.

Why this answer

By default, Palo Alto Networks firewalls implement an implicit deny rule for inter-zone traffic. This means that if no security rule explicitly matches traffic between two different zones, the firewall drops the packet and logs it as a deny action. This default behavior ensures that all cross-zone traffic must be explicitly allowed by a security policy, enforcing a zero-trust model.

Exam trap

The trap here is that candidates often confuse the default inter-zone action with intra-zone traffic (which is allowed by default) or assume that the firewall will prompt or log a warning, when in fact it silently denies without any user notification.

How to eliminate wrong answers

Option B is wrong because allowing inter-zone traffic by default would violate the principle of least privilege and create a security hole; Palo Alto firewalls never allow traffic without an explicit allow rule. Option C is wrong because the action is not dependent on the application; the firewall applies a default deny regardless of the application ID, and application identification only occurs after a rule match. Option D is wrong because the firewall does not prompt or ask for user input for inter-zone traffic; it silently drops the packet based on the implicit deny rule.

38
MCQhard

A security engineer is deploying a new PA-5220 firewall to replace an existing legacy firewall. The environment has complex routing with OSPF and BGP. The engineer configures the firewall with multiple virtual routers: one for the internal network, one for the DMZ, and one for the external connection to two ISPs. The firewall is placed in Layer 3 mode. After the cutover, users report that they can access the internet but internal traffic between two different subnets that are both in the internal virtual router fails to route properly. The engineer checks the routing table on the internal virtual router and sees correct OSPF learned routes. The security policies allow all traffic between those subnets. What is the most likely cause of the routing failure?

A.The firewall does not have a loopback interface for OSPF router-id
B.The security policy is not correctly identifying the traffic due to asymmetric routing
C.The internal interfaces are assigned to different virtual routers
D.The OSPF metric is too high, causing route preference issues
AnswerC

If the interfaces belong to different virtual routers, the firewall will not route between them by default without inter-VR route leaking or a shared VR.

Why this answer

The most likely cause is that the internal interfaces are assigned to different virtual routers. In a Palo Alto Networks firewall, Layer 3 interfaces belong to a specific virtual router, and routing between subnets in different virtual routers requires either a route leak or a shared virtual router. Since the engineer placed both subnets in the same internal virtual router but the interfaces are in different virtual routers, the firewall cannot route traffic between them even if the routing table and security policies are correct.

Exam trap

The trap here is that candidates often assume that security policies alone control traffic flow, forgetting that virtual routers create isolated routing domains, and that interfaces in different virtual routers cannot route to each other without explicit route leaking or redistribution.

How to eliminate wrong answers

Option A is wrong because a loopback interface for OSPF router-id is not required for OSPF to function; the firewall can use the highest IP address of any active interface or a manually configured router-id. Option B is wrong because asymmetric routing is not the issue here; the traffic is between two subnets within the same virtual router, and the security policy allows all traffic, so asymmetric routing would not cause a failure in this scenario. Option D is wrong because a high OSPF metric would affect route preference but would not prevent routing between directly connected subnets within the same virtual router; the firewall would still use connected routes or OSPF-learned routes with lower metrics.

39
MCQhard

A firewall is configured with multiple virtual wire interfaces. Traffic passes through but the firewall cannot enforce security policies based on source/destination IP addresses. What is the reason?

A.The virtual wire is not configured with zones
B.The virtual wire requires a VLAN tag
C.The security policy is in layer 3 mode
D.Virtual wire mode does not support IP-based policies
AnswerD

In virtual wire mode, the firewall acts as a transparent bridge and cannot inspect IP addresses for policy matching.

Why this answer

In virtual wire mode, the firewall operates as a transparent Layer 2 bridge, forwarding frames based on MAC addresses without performing any IP routing or inspection of Layer 3 headers. Because the firewall does not see the source or destination IP addresses in the traffic, it cannot enforce security policies that rely on IP-based criteria. Option D correctly identifies that virtual wire mode inherently does not support IP-based policies.

Exam trap

The trap here is that candidates may assume virtual wire mode still allows IP-based policies because the firewall can see IP packets, but they forget that the firewall does not process Layer 3 headers in this mode, making IP-based policy enforcement impossible.

How to eliminate wrong answers

Option A is wrong because virtual wire interfaces are automatically assigned to a zone when the virtual wire is created, and zones are required for policy enforcement, but the issue here is not about zone assignment—it's about the lack of IP visibility. Option B is wrong because virtual wire mode does not require VLAN tags; it can pass untagged traffic, and VLAN tags are optional for segmenting traffic within a virtual wire. Option C is wrong because security policies in Layer 3 mode are used for routed interfaces, not virtual wire interfaces; virtual wire mode operates at Layer 2, and the policy enforcement is based on Layer 2 information, not Layer 3 IP addresses.

40
MCQhard

You are deploying a pair of PA-5250 firewalls in active/passive HA mode for a large enterprise. The firewalls are configured with multiple virtual routers (VRs) to segment traffic: VR-A for internal corporate network, VR-B for DMZ, and VR-C for Internet edge. Each VR is associated with a separate Vsys. The HA pair uses IPsec tunnel monitoring to determine failover. The customer reports that after a recent configuration change, failover does not occur when the primary firewall's Internet-facing interface (ethernet1/1) goes down. You verify that the primary firewall detects the interface failure, but the secondary does not take over. The HA configuration shows: 'monitor failure only' set to 'link-status', 'monitor hold time' 1000ms, 'promotion hold time' 2000ms, and 'monitor failure condition' is 'any'. The IPsec tunnel monitoring is configured for tunnel to a remote site. The path monitoring includes the Internet-facing interface under VR-C. What is the most likely reason for the failover failure?

A.The use of multiple virtual routers prevents HA from monitoring interfaces across VRs.
B.The IPsec tunnel monitoring is configured, but it is not a valid HA monitoring method; only path, interface, and route monitoring are supported.
C.The 'monitor hold time' is too short, causing flapping to be ignored.
D.The 'monitor failure only' is set to 'link-status' instead of 'path-monitoring'.
AnswerB

IPsec tunnel monitoring is not an HA monitoring method; the firewall may not consider it for failover decisions.

Why this answer

Option B is correct because IPsec tunnel monitoring is not a supported HA monitoring method on Palo Alto Networks firewalls. The supported methods are path monitoring, interface monitoring, and route monitoring. Since the configuration relies on IPsec tunnel monitoring to trigger failover, the secondary firewall will not take over when the primary's interface goes down, regardless of other settings.

Exam trap

The trap here is that candidates may assume any monitoring feature (like IPsec tunnel monitoring) can be used for HA failover, but Palo Alto Networks explicitly restricts HA monitoring to interface, path, and route monitoring only.

How to eliminate wrong answers

Option A is wrong because multiple virtual routers do not prevent HA from monitoring interfaces across VRs; HA can monitor interfaces in any VR as long as they are configured in the HA monitoring setup. Option C is wrong because a 'monitor hold time' of 1000ms is not too short; it is a standard value, and the issue is not about flapping but about the monitoring method itself. Option D is wrong because setting 'monitor failure only' to 'link-status' is correct for interface-based monitoring; the problem is that IPsec tunnel monitoring is not a valid HA monitoring method, not the failure condition type.

41
MCQhard

An organization has a firewall in HA active-passive mode. After a failover, the new active firewall does not have the latest session table. What should be configured to ensure session synchronization?

A.Packet capture on active
B.Session setup on both peers
C.HA session sync
D.Commit force sync
AnswerC

This feature synchronizes active sessions to the passive firewall.

Why this answer

Option C is correct because HA session synchronization (session sync) is the feature that replicates active session state from the active firewall to the passive firewall in an active-passive HA pair. Without this configuration, after a failover the new active firewall has no knowledge of existing sessions, causing all active connections to be dropped and requiring clients to re-establish them. Enabling session sync ensures the passive firewall maintains a synchronized session table, allowing seamless traffic continuation after failover.

Exam trap

The trap here is that candidates often confuse configuration synchronization (commit force sync) with runtime state synchronization (session sync), leading them to select Option D, but commit force sync only pushes configuration changes, not dynamic session data.

How to eliminate wrong answers

Option A is wrong because packet capture is a troubleshooting tool used to inspect traffic, not a mechanism to replicate session state between HA peers. Option B is wrong because session setup on both peers is not a configurable feature; session creation occurs naturally on the active firewall, and without session sync the passive peer does not receive those sessions. Option D is wrong because commit force sync is used to force a configuration synchronization from the active to the passive firewall, but it does not synchronize dynamic runtime data like session tables.

42
MCQeasy

A company has a firewall with multiple virtual routers. They need to ensure that traffic from a specific subnet (10.1.1.0/24) can reach the internet but not other internal subnets. What is the best way to achieve this?

A.Use NAT policies
B.Configure static routes in the virtual router
C.Implement security policies with source zone and destination zone
D.Configure path monitoring
AnswerC

Security policies allow or deny traffic based on zones. By placing the subnet in a separate zone and creating policies, you can control access.

Why this answer

Option C is correct because security policies in Palo Alto Networks firewalls control traffic based on source and destination zones, enabling you to restrict traffic from the 10.1.1.0/24 subnet (assigned to a specific zone) to only the internet zone while blocking access to other internal subnets. This is achieved by creating a security policy that allows traffic from the source zone (e.g., 'Internal') to the destination zone (e.g., 'Internet') and explicitly denying traffic to other internal zones, without relying on routing or NAT.

Exam trap

The trap here is that candidates often confuse routing (static routes) with security policies, assuming that controlling the path via routes can restrict access, but in Palo Alto firewalls, access control is enforced by security policies, not routing tables.

How to eliminate wrong answers

Option A is wrong because NAT policies only translate IP addresses and do not control access between subnets; they cannot prevent traffic from reaching internal subnets. Option B is wrong because static routes determine the path for traffic but do not enforce access control; they would allow traffic to any reachable destination, including internal subnets. Option D is wrong because path monitoring is used for link failure detection and failover, not for restricting traffic between subnets.

43
Multi-Selectmedium

Which TWO factors can cause a firewall to not show any User-ID mapping for a user who is actively logged in?

Select 2 answers
A.The user is using a VPN connection from a remote location
B.The firewall's User-ID agent is in collector mode
C.The User-ID agent is not configured with the firewall's IP as a client
D.The user's traffic is being decrypted by SSL decryption
E.The domain controller is not forwarding security events to the User-ID agent
AnswersC, E

The agent must have the firewall listed as a client to send mappings.

Why this answer

Option C is correct because the User-ID agent must be configured with the firewall's IP address as a client to forward user-to-IP mappings. Without this configuration, the firewall will not receive the mapping data from the agent, even if the user is actively logged in and the agent is collecting security events from the domain controller.

Exam trap

The trap here is that candidates often confuse 'collector mode' with a failure to send mappings, but collector mode actually aggregates and forwards data, so it does not cause missing mappings; the real issue is the missing client IP configuration on the agent.

44
Multi-Selectmedium

Which TWO of the following are required for stateful failover in an Active/Passive HA pair?

Select 2 answers
A.HA3 link configured with a dedicated interface.
B.HA1 link configured with a dedicated interface.
C.HA2 link configured with a dedicated interface.
D.Heartbeat backup link configured.
E.Session table synchronization enabled.
AnswersB, C

HA1 is mandatory for heartbeat and management sync.

Why this answer

In an Active/Passive HA pair, stateful failover requires the HA1 link (management/control plane synchronization) and the HA2 link (data plane session synchronization) to be configured with dedicated interfaces. The HA1 link ensures heartbeat and configuration sync, while the HA2 link synchronizes session tables so that the passive firewall can seamlessly take over active sessions without disruption.

Exam trap

The trap here is that candidates often confuse the HA3 link (used for packet forwarding) as mandatory for stateful failover, or they think session table synchronization is a separate toggle rather than an inherent function of the HA2 link.

45
MCQeasy

A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?

A.allow
B.reset-both
C.deny
D.drop
AnswerA

'allow' permits the traffic.

Why this answer

The correct action is 'allow' because the security engineer needs to permit inbound HTTPS traffic from the Untrust zone to the DMZ web server. In Palo Alto Networks firewalls, the security policy action 'allow' explicitly permits the traffic to pass through the firewall, which is required for legitimate inbound web traffic.

Exam trap

The trap here is that candidates may confuse 'deny' with 'drop' or think 'reset-both' is a valid way to allow traffic, but only 'allow' actually permits the session to be established and pass through the firewall.

How to eliminate wrong answers

Option B (reset-both) is wrong because it sends TCP RST packets to both the client and server, which would terminate the HTTPS connection rather than allowing it. Option C (deny) is wrong because it discards the traffic and sends a TCP RST to the sender, blocking the inbound HTTPS traffic. Option D (drop) is wrong because it silently discards the traffic without any notification, which would also prevent the HTTPS traffic from reaching the web server.

46
Multi-Selecthard

A security engineer is deploying a Palo Alto Networks firewall in a branch office. The firewall must enforce the following security policies: (1) Allow outbound HTTPS traffic from internal users to the internet. (2) Block all inbound traffic from the internet to the internal network except for SMTP traffic to a specific mail server. (3) Allow outbound DNS traffic from internal DNS servers to external DNS servers. Which TWO security rules should the engineer create to satisfy these requirements? (Choose two.)

Select 2 answers
A.Rule: from internal to external, source any, destination any, application any, service tcp/443, action allow.
B.Rule: from internal to external, source internal-users, destination any, application ssl, service application-default, action allow.
C.Rule: from external to internal, source any, destination mail-server-ip, application smtp, service application-default, action allow.
D.Rule: from internal to external, source any, destination any, application any, service any, action allow.
E.Rule: from internal to external, source any, destination any, application web-browsing, service application-default, action allow.
AnswersB, C

Correctly allows HTTPS with application-based control.

Why this answer

Option B is correct because it uses the 'ssl' application to match HTTPS traffic, which is the proper application-based method for allowing outbound HTTPS. This rule specifies the source as 'internal-users' and destination as 'any', with the action 'allow', meeting requirement (1) without over-permitting. Option C is correct because it creates a rule from 'external' to 'internal', targeting the mail server IP with application 'smtp' and service 'application-default', which blocks all inbound traffic except SMTP to that specific server, satisfying requirement (2).

Exam trap

The trap here is that candidates often confuse 'web-browsing' (HTTP) with 'ssl' (HTTPS) or rely on port-based rules (service tcp/443) instead of application-based rules, which Palo Alto emphasizes for proper security policy enforcement.

47
MCQhard

A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?

A.Another rule earlier in the policy matches the traffic and allows it before reaching this rule.
B.The firewall is configured to not log interzone traffic.
C.The source address 10.1.0.0/16 is not part of the 10.0.0.0/8 subnet.
D.The logging profile is not applied to the rule.
AnswerA

If an earlier rule allows the traffic, this rule is never evaluated, and logging is not triggered.

Why this answer

Option A is correct because in a Palo Alto Networks firewall, security rules are evaluated from top to bottom, and the first matching rule is applied. If an earlier rule in the policy matches the traffic from 10.1.0.0/16 and allows it, the rule with logging at rule end will never be evaluated, and thus no log entry is generated for that traffic.

Exam trap

The trap here is that candidates may assume a subnet like 10.1.0.0/16 is not part of 10.0.0.0/8, but in CIDR notation, 10.1.0.0/16 is indeed a subset of 10.0.0.0/8, so the issue is rule order, not address mismatch.

How to eliminate wrong answers

Option B is wrong because interzone traffic logging is not a global setting that can be disabled; logging is controlled per rule via the log setting at rule start or end. Option C is wrong because 10.1.0.0/16 is a subset of 10.0.0.0/8, so it is included in the source address range. Option D is wrong because the logging profile is not required for basic logging; setting logging at rule end enables logging without a separate profile.

48
Multi-Selecthard

Which THREE of the following are valid methods to enable traffic logging when configuring a security rule?

Select 3 answers
A.Set 'Log at Session End' in the rule.
B.Apply a Log Forwarding profile to the rule.
C.Enable 'Logging' under the rule's 'Actions' tab.
D.Configure 'Log at Rule Match' under the rule's 'Advanced' settings.
E.Set 'Log at Session Start' in the rule.
AnswersA, B, E

This logs when the session ends.

Why this answer

Option A is correct because setting 'Log at Session End' in a security rule explicitly instructs the firewall to generate a traffic log entry when the session terminates, capturing the complete session details including bytes transferred and duration. This is a direct method to enable logging for the rule's traffic.

Exam trap

The trap here is that candidates confuse the 'Actions' tab with logging settings, or assume a 'Log at Rule Match' option exists, when in reality logging is controlled exclusively via the 'Log at Session End' checkbox and Log Forwarding profiles.

49
MCQmedium

The administrator intended to create a sub-interface for VLAN 10 with IP 192.168.10.1/24. However, traffic from VLAN 10 is not being routed through this interface. Based on the exhibit, what is the cause?

A.The VLAN ID is misconfigured as 20 instead of 10.
B.The IP netmask is /24 but should be /16.
C.The zone is incorrectly named 'VLAN10'.
D.The virtual router is not correctly set.
AnswerA

The sub-interface expects VLAN tag 20, but traffic from VLAN 10 uses tag 10.

Why this answer

The exhibit shows the sub-interface is configured with VLAN ID 20, but the administrator intended VLAN 10. In Palo Alto Networks firewalls, sub-interfaces use 802.1Q VLAN tagging, and the VLAN ID must match the tag on incoming frames. Mismatched VLAN IDs cause the firewall to drop or ignore traffic because the sub-interface only processes frames with the configured tag.

Exam trap

The trap here is that candidates often confuse the VLAN ID on the sub-interface with the IP subnet or zone name, assuming a mismatch in IP addressing or zone naming is the root cause, when in fact the VLAN tag mismatch is the direct and immediate reason traffic is not processed.

How to eliminate wrong answers

Option B is wrong because the /24 netmask is correct for a /24 subnet (192.168.10.0/24); a /16 would incorrectly expand the subnet to 192.168.0.0/16, causing routing issues but not preventing VLAN 10 traffic from reaching the interface. Option C is wrong because the zone name 'VLAN10' is purely a logical label and has no effect on VLAN tagging or traffic forwarding; zones are security boundaries, not VLAN identifiers. Option D is wrong because the virtual router assignment is independent of VLAN tagging; even if the virtual router were misconfigured, traffic would still reach the sub-interface and be processed, but routing would fail later—not the cause of traffic not being routed through the interface.

50
Multi-Selecthard

Which THREE are valid methods to provide redundancy for outbound internet traffic in a Palo Alto Networks firewall?

Select 3 answers
A.Active/Passive HA with floating IP
B.ECMP with equal cost routes
C.Policy Based Forwarding combined with path monitoring
D.Active/Passive HA with virtual router synchronization
E.Use of multiple public IPs with NAT rules
AnswersA, B, C

HA provides failover; the floating IP moves to the active firewall.

Why this answer

Active/Passive HA with floating IP (Option A) is valid because the passive firewall assumes the active firewall's IP address upon failover, ensuring outbound traffic continues via the same default gateway. ECMP with equal cost routes (Option B) distributes outbound traffic across multiple paths and provides redundancy by automatically failing over if one path is lost. Policy Based Forwarding combined with path monitoring (Option C) allows you to define forwarding policies based on traffic attributes and monitor path health, redirecting traffic if a monitored path fails.

Exam trap

The trap here is that candidates confuse virtual router synchronization (which only replicates routing tables) with actual failover mechanisms like floating IPs or path monitoring, assuming that synchronized routing alone provides redundancy for outbound traffic.

51
MCQmedium

An administrator wants to ensure that all traffic from the internal network to the internet uses a specific public IP address for source NAT. There are multiple public IP addresses available. What is the best way to achieve this?

A.Configure a NAT IP pool
B.Use a static NAT policy
C.Create a dynamic IP and port (DIPP) NAT policy with the specific IP as translated address
D.Use a PAT pool
AnswerC

DIPP NAT can use a specific public IP address for source NAT.

Why this answer

Option C is correct because a Dynamic IP and Port (DIPP) NAT policy allows you to specify a single translated address (the specific public IP) while still performing port address translation (PAT) to handle multiple internal sessions. This ensures all outbound traffic uses that exact public IP, unlike a pool which would distribute across multiple IPs. DIPP is the standard method for source NAT with a single IP when many internal hosts need concurrent internet access.

Exam trap

The trap here is confusing a NAT IP pool (which distributes traffic across multiple IPs) with a DIPP policy that uses a single IP, leading candidates to incorrectly select option A or D when the requirement is to use a specific single public IP.

How to eliminate wrong answers

Option A is wrong because a NAT IP pool distributes traffic across multiple public IPs, not guaranteeing a single specific IP for all traffic. Option B is wrong because static NAT is a one-to-one mapping between a private IP and a public IP, not suitable for many-to-one source NAT from an entire internal network. Option D is wrong because a PAT pool is a specific type of NAT IP pool that uses port translation but still distributes sessions across multiple IPs in the pool, failing to enforce a single public IP.

52
Multi-Selecteasy

Which TWO actions should be taken when deploying a Palo Alto Networks firewall in a branch office to ensure secure and efficient operation? (Choose two.)

Select 2 answers
A.Enable Threat Prevention profiles to block known malware
B.Configure logging for all traffic to enable monitoring and troubleshooting
C.Leave the default admin password until the next audit
D.Use the default NAT policies provided by the initial configuration
E.Manually download dynamic updates daily to ensure latest signatures
AnswersA, B

Threat prevention is critical for security; without it, the firewall is not fully effective.

Why this answer

Enabling Threat Prevention profiles (A) is correct because it applies IPS signatures to block known malware, exploits, and vulnerabilities inline, which is essential for branch office security without requiring constant manual intervention. Configuring logging for all traffic (B) is correct because it provides visibility for monitoring, troubleshooting, and compliance, and is necessary for effective use of features like ACC and reporting.

Exam trap

The trap here is that candidates may think default NAT policies are acceptable for branch offices or that manual updates are more reliable, but the PCNSE exam emphasizes automation and security best practices, making options D and E incorrect due to their lack of scalability and security posture.

Ready to test yourself?

Try a timed practice session using only Deploy and Configure Firewalls questions.