CCNA Manage, Monitor and Operate Questions

75 of 81 questions · Page 1/2 · Manage, Monitor and Operate · Answers revealed

1
MCQhard

A large enterprise has deployed two Palo Alto Networks PA-5250 firewalls in active/passive HA mode with Panorama for centralized management. The network contains over 10,000 users across multiple sites. Recently, the security team deployed a new security policy rule to block a set of high-risk applications. After the commit, the firewall's CPU utilization spiked to 95% and sessions started to drop intermittently. The firewall logs show a high number of session setup failures and timeouts. The existing security policy contains over 5,000 rules. The new rule uses application-based filtering and is placed near the top of the rulebase. What is the most effective course of action to reduce CPU load while maintaining security?

A.Remove the new rule and implement the blocking via a Threat Prevention profile instead.
B.Move the new rule to the bottom of the rulebase to reduce matching frequency.
C.Convert the new rule to use a simplified service-based filter instead of application-based to reduce processing overhead.
D.Increase the session table size and adjust the TCP timewait timeout to reduce session setup overhead.
AnswerA

Threat Prevention profiles are more efficient for blocking known applications and offload processing from the policy engine.

Why this answer

The CPU spike is likely due to the heavy application identification processing required for the new rule. Option A is the most effective because using a Threat Prevention profile to block the applications offloads the processing to the threat engine, which is more efficient than application-based security rules. Option B is incorrect because moving the rule to the bottom does not reduce the number of sessions that must be matched; it may actually increase processing as rules above it are evaluated.

Option C is incorrect because service-based filtering would not effectively block the targeted applications. Option D is incorrect because increasing session table size does not reduce CPU load; it might exacerbate the issue.

2
MCQhard

A firewall is configured with two virtual routers in an active/passive HA pair. The active firewall fails over, and after failover, traffic is not passing through the new active firewall. The interface IP addresses are configured as virtual IPs. What is the most likely cause?

A.The session table is not synchronized between HA peers.
B.The passive firewall's routing table is not synchronized.
C.The virtual router is not configured to use the virtual IPs.
D.The HA configuration does not include the virtual router.
AnswerA

Without session synchronization, the new active firewall does not have existing sessions, causing traffic drops.

Why this answer

Option D is correct because after failover, the session table on the new active firewall may not be synchronized if session synchronization is not enabled or if the session table was not fully synced before failover. This causes the new active firewall to not have active sessions, leading to traffic drops. Options A, B, and C are incorrect because virtual router configuration, HA synchronization, and ARP tables are typically handled automatically in HA.

3
MCQhard

A security operations center (SOC) uses Panorama to monitor all firewalls. They notice that some log entries show a severity of 'critical' but the alerting system does not fire. The log forwarding profile on Panorama is configured to send syslog alerts for severity 'critical'. The syslog server receives other logs from Panorama but not these critical logs. The administrator checks the Panorama configuration and finds that the log forwarding profile is applied to the correct log types. What is the most likely issue?

A.The log forwarding profile on Panorama is not applied to the managed firewalls.
B.The critical logs are generated on the firewall and not forwarded to Panorama.
C.The Panorama's log collector is not processing the logs correctly.
D.The syslog server is filtering out the critical logs based on the source IP.
AnswerB

If the firewall is not forwarding critical logs to Panorama, Panorama cannot forward them.

Why this answer

Option C is correct because if the critical logs are generated on the firewall but not forwarded to Panorama (e.g., due to missing log forwarding on the firewall or a filter), Panorama cannot forward them to the syslog server. Option A is incorrect because the syslog server receives other logs from Panorama, so filtering is unlikely. Option B is incorrect because the log forwarding profile on Panorama is applied to Panorama's own logs, not to the logs forwarded from firewalls.

Option D is incorrect because the log collector processes logs, and if it were an issue, other logs would also be affected.

4
MCQeasy

The firewall log shows repeated IKE phase 1 negotiation failures. The remote peer is a third-party VPN device. Which of the following is the most likely cause?

A.The remote peer's firewall is blocking UDP port 500.
B.The pre-shared key is incorrect.
C.The IKE encryption algorithm settings do not match between the local firewall and the remote peer.
D.The IKE version (v1 vs v2) is mismatched between the two devices.
AnswerC

Mismatched IKE parameters cause the 'No Proposal Chosen' error during phase 1 negotiation.

Why this answer

IKE phase 1 negotiation failures are most commonly caused by mismatched IKE parameters, particularly the encryption algorithm (e.g., AES-256 vs AES-128), hash algorithm, DH group, or lifetime. Since the remote peer is a third-party device, the local firewall and remote peer must agree on all IKE phase 1 proposals; if even one parameter (like encryption) does not match, the negotiation fails. Option C directly addresses this core requirement.

Exam trap

The trap here is that candidates often assume pre-shared key mismatch is the most common cause of IKE phase 1 failures, but in reality, parameter mismatches (especially encryption algorithms) are more frequent and cause negotiation failures before authentication even begins.

How to eliminate wrong answers

Option A is wrong because UDP port 500 blocking would typically result in no response or timeout, not repeated negotiation failures with specific error messages in the logs. Option B is wrong because an incorrect pre-shared key would cause IKE phase 1 authentication failure (after the proposal is accepted), not a negotiation failure during the proposal exchange. Option D is wrong because IKE version mismatch would cause a different failure (e.g., 'no proposal chosen' or version incompatibility), but the question specifies 'repeated IKE phase 1 negotiation failures' which is more characteristic of parameter mismatches within the same version.

5
MCQhard

A company uses Panorama to manage multiple firewalls. An administrator pushes a template that includes a new Security Profiles group, but the firewalls do not receive the profile group. What is the most likely cause?

A.The profile group references a profile that does not exist in the template.
B.The push was performed to device groups instead of templates.
C.The firewalls are not assigned to the template that contains the profile group.
D.The commit was not selected to include the new profiles.
AnswerC

If the firewall is not in the correct template, it won't apply the profile group.

Why this answer

Option C is correct because Panorama pushes templates to firewalls based on template assignment. If a firewall is not assigned to the template that contains the Security Profiles group, the firewall will never receive that configuration, regardless of the push operation. Template assignment is a prerequisite for any template-based configuration to be applied to a managed firewall.

Exam trap

The trap here is that candidates often confuse the push operation for device groups with the push for templates, assuming that a single push covers all configuration, when in fact Panorama requires separate pushes for templates and device groups, and template assignment is a prerequisite for receiving any template-based configuration.

How to eliminate wrong answers

Option A is wrong because if a profile group references a profile that does not exist in the template, Panorama would generate a validation error during a commit or push, preventing the push from succeeding entirely — the firewalls would not partially receive the group without the missing profile. Option B is wrong because Panorama pushes templates and device groups separately; a push to device groups does not affect template content, and the administrator would need to push templates to deliver the profile group. Option D is wrong because the commit operation is not a per-object selection; when a commit is performed on Panorama, all pending changes in the selected template or device group are included — there is no option to selectively exclude new profiles from a commit.

6
MCQeasy

Refer to the exhibit. The firewall's disk usage is at 85% overall, and the /opt/panlogs partition is at 92%. The administrator wants to free up space without losing important log data. Which action should be taken first?

A.Configure log auto-deletion in the Log Settings to purge logs older than a specified period
B.Add an external storage device to the firewall
C.Delete configuration files from /opt/pancfg
D.Delete the /opt/panlogs directory and recreate it
AnswerA

Auto-deletion frees space by removing old logs.

Why this answer

Option A is correct because configuring log auto-deletion in the Log Settings allows the administrator to automatically purge older logs based on a specified retention period, freeing up disk space on the /opt/panlogs partition without manually deleting important log data. This is the safest and most controlled method, as it respects the firewall's log management policies and ensures compliance with data retention requirements.

Exam trap

Palo Alto Networks often tests the misconception that deleting configuration files or directories is a valid troubleshooting step, when in fact the correct approach is to use built-in log management features like auto-deletion to safely reclaim space without data loss.

How to eliminate wrong answers

Option B is wrong because adding an external storage device does not free up existing disk space; it only provides additional capacity, and the immediate issue of 92% usage on /opt/panlogs remains unresolved. Option C is wrong because deleting configuration files from /opt/pancfg would remove critical firewall configuration data, potentially causing operational failures or loss of policy settings, and it does not address the log partition issue. Option D is wrong because deleting the /opt/panlogs directory and recreating it would permanently remove all log data, which violates the requirement to not lose important log data, and may also disrupt logging services until the directory is properly recreated with correct permissions.

7
Multi-Selectmedium

A firewall administrator needs to configure a new security policy rule to block traffic from the 'Guest' zone to the 'Corporate' zone for all ports except HTTP and HTTPS. Which two configuration steps are required? (Choose two.)

Select 2 answers
A.Create a rule with source zone 'Guest', destination zone 'Corporate', application 'web browsing' and 'ssl' with action 'allow'.
B.Create a rule with source zone 'Guest', destination zone 'Corporate', application 'any' with action 'deny'.
C.Configure a 'Log Forwarding' profile to send alerts for denied traffic.
D.Ensure the allow rule for web browsing and ssl is placed before the deny rule.
E.Create a rule with source zone 'Guest', destination zone 'Corporate', and application 'any' with action 'allow'.
AnswersA, D

This allows HTTP and HTTPS traffic.

Why this answer

Option A is correct because to allow HTTP and HTTPS traffic from Guest to Corporate, you must create an allow rule that specifies the source zone 'Guest', destination zone 'Corporate', and the applications 'web-browsing' (HTTP) and 'ssl' (HTTPS). This rule permits only those specific applications while implicitly denying all other traffic, as Palo Alto Networks firewalls use a default-deny policy for inter-zone traffic.

Exam trap

Palo Alto Networks often tests the rule ordering requirement in security policies, where candidates mistakenly think a single rule with 'allow' and specific applications is sufficient without a subsequent deny rule, or they incorrectly assume that a deny rule with 'any' can be placed anywhere in the rulebase.

8
Multi-Selecteasy

Which TWO of the following are valid methods to upgrade the PAN-OS software on a firewall? (Choose two.)

Select 2 answers
A.Insert a USB drive with the image into the firewall's USB port
B.Download from the Palo Alto Networks support site and install via the web interface
C.Use the 'request system software upgrade' CLI command with a URL
D.Use FTP to transfer the image to the firewall
E.Email the image to the firewall's email-to-PAN-OS feature
AnswersB, C

Standard method.

Why this answer

Option B is correct because the PAN-OS web interface provides a built-in method to upload and install software images downloaded from the Palo Alto Networks support site. This is a standard, supported upgrade path that uses HTTPS to transfer the image to the firewall.

Exam trap

The trap here is that candidates often assume USB or FTP are valid methods because they are common in other network devices, but PAN-OS strictly restricts upgrade image sources to HTTPS downloads or the CLI with a URL, and USB is only for bootstrap or recovery operations.

9
MCQeasy

A security administrator notices that a specific user is generating excessive logs due to repeated authentication failures. The administrator wants to see only failed authentication events for that user in the monitor tab. Which filter string should be used in the log viewer?

A.(addr.src eq user@domain.com) or (eventid eq auth-fail)
B.(addr.src eq user@domain.com) and (severity ge medium)
C.(addr.src eq user@domain.com) and (eventid eq auth-fail)
D.(src eq user@domain.com) and (eventid eq auth)
AnswerC

Correctly combines user and auth-fail event.

Why this answer

Option C is correct because the filter (addr.src eq user@domain.com) and (eventid eq auth-fail) uses the proper source address field (addr.src) to match the user's IP or identity and the exact event ID for authentication failures (auth-fail). This combination ensures only failed authentication events from that specific user are displayed in the monitor tab, meeting the administrator's requirement precisely.

Exam trap

Palo Alto Networks often tests the distinction between the correct field name 'addr.src' versus the incorrect 'src' and the exact event ID 'auth-fail' versus the broader 'auth', exploiting the common misconception that 'src' is a valid shorthand or that 'auth' alone captures failures.

How to eliminate wrong answers

Option A is wrong because it uses the OR operator, which would show all events where either the source address matches the user OR any authentication failure occurs, resulting in excessive logs including failures from other users. Option B is wrong because it filters by severity ge medium, which includes many event types beyond authentication failures (e.g., medium-severity threats or system events), not isolating only auth-fail events. Option D is wrong because it uses the incorrect field name 'src' instead of 'addr.src' for the source address, and the event ID 'auth' is too broad (it matches all authentication events, including successes), failing to narrow down to only failures.

10
MCQeasy

Refer to the exhibit. What does the uptime indicate?

A.The firewall license is about to expire.
B.The firewall is in active-passive HA mode.
C.The firewall has high memory usage.
D.The firewall has been restarted approximately 3 hours ago.
AnswerD

Uptime directly indicates time since last boot.

Why this answer

The uptime displayed in the exhibit shows the firewall has been running for approximately 3 hours. This directly indicates that the firewall was restarted or rebooted about 3 hours ago, making option D correct. Uptime is a measure of time since the last system boot, not related to licensing, HA mode, or memory usage.

Exam trap

The trap here is that candidates may confuse uptime with license expiration or HA status, but uptime is solely a measure of system runtime since last boot and has no bearing on licensing, HA mode, or memory usage.

How to eliminate wrong answers

Option A is wrong because license expiration is shown under 'License' or 'Device > Licenses', not in the uptime field; uptime only reflects system runtime since last boot. Option B is wrong because active-passive HA mode is indicated by HA configuration and state (e.g., 'active-passive' in HA settings), not by uptime; uptime values are independent of HA role. Option C is wrong because high memory usage is monitored via 'Device > Resources' or CLI commands like 'show system resources', not by uptime; uptime does not correlate with memory consumption.

11
Multi-Selecthard

Which TWO configurations are required for User-ID to work using the Windows User-ID Agent (WUA) in a distributed environment?

Select 2 answers
A.The User-ID Agent must have permissions to query Active Directory domain controllers.
B.Firewalls must be configured to send User-ID data to the Agent via Server Monitoring.
C.An Application Override policy must be created for User-ID traffic.
D.The firewall must be able to reach the User-ID Agent's IP address on TCP port 5007.
E.The User-ID Agent must be in the same Layer 2 subnet as the users.
AnswersA, D

User-ID Agent queries DCs for user logon events.

Why this answer

Option A is correct because the Windows User-ID Agent (WUA) must have permissions to query Active Directory (AD) domain controllers to retrieve user login events (e.g., security event ID 4624). Without these permissions, the agent cannot map IP addresses to usernames, which is the core function of User-ID in a distributed environment.

Exam trap

The trap here is that candidates often confuse the direction of data flow, thinking the firewall sends data to the agent (Option B), or assume the agent must be on the same subnet as users (Option E), when in fact the agent only needs network reachability and AD query permissions.

12
MCQmedium

Refer to the exhibit. The firewall is experiencing high dataplane CPU usage (85%) with 45,000 active sessions out of a maximum of 100,000. Which of the following is the most likely cause of the high CPU?

A.SSL decryption is enabled and processing many sessions
B.The firewall is reaching its maximum session limit
C.The firewall is under a DDoS attack
D.There is a high rate of UDP sessions
AnswerA

SSL decryption is CPU-intensive.

Why this answer

SSL decryption is a highly CPU-intensive operation because it requires the firewall to terminate and re-encrypt TLS connections, performing asymmetric and symmetric cryptographic operations for each session. With 45,000 active sessions, even if the session count is below the 100,000 limit, the per-session processing overhead of SSL decryption can drive dataplane CPU to 85%.

Exam trap

The trap here is that candidates assume high CPU must be due to reaching session limits or an attack, but Cisco tests the understanding that SSL decryption's per-session cryptographic overhead can cause high CPU even at moderate session counts.

How to eliminate wrong answers

Option B is wrong because the firewall is only at 45,000 sessions out of 100,000, so it is not reaching its maximum session limit; high CPU from session count typically occurs near the limit. Option C is wrong because a DDoS attack would likely cause a high session rate or session table overflow, not necessarily sustained 85% CPU with only 45,000 sessions, and the question provides no evidence of attack patterns. Option D is wrong because UDP sessions are generally less CPU-intensive than TCP sessions (no state machine complexity), and a high rate of UDP sessions would more likely cause session table exhaustion rather than sustained high CPU.

13
MCQhard

A GlobalProtect gateway is configured as shown. Remote users report that they can connect to the gateway but cannot authenticate. The users are using the GlobalProtect client with certificate authentication. What is the most likely cause?

A.The IPSec crypto profile is too strong for the clients.
B.The IP pool is exhausted.
C.The DNS server is misconfigured, causing authentication failure.
D.The gateway does not have a root CA certificate imported for validating client certificates.
AnswerD

Client certificate validation requires the gateway to trust the issuing CA.

Why this answer

Option C is correct because for client certificate authentication, the firewall must have the root CA certificate that issued the client certificates imported; otherwise, it cannot validate the client certificate. Option A is wrong as DNS is only for client DNS server assignment. Option B (IP pool exhaustion) would prevent IP assignment, not authentication.

Option D (crypto profile) affects tunnel establishment, not authentication.

14
MCQeasy

An administrator needs to generate a tech support file for TAC. Which CLI command accomplishes this?

A.debug generate dump
B.generate tech-support
C.show tech-support
D.request tech-support
AnswerB

This command generates a tech support file (tgz) that can be exported.

Why this answer

The correct command to generate a tech support file on Palo Alto Networks firewalls is 'generate tech-support'. This command collects all relevant logs, configurations, and diagnostic data into a single archive file for TAC analysis. The 'generate' keyword is specific to Palo Alto's CLI syntax for creating output files, unlike Cisco's 'show' or 'request' commands.

Exam trap

The trap here is that candidates familiar with Cisco IOS often default to 'show tech-support' or 'request tech-support', but Palo Alto uses 'generate' as the action verb for creating output files, not 'show' or 'request'.

How to eliminate wrong answers

Option A is wrong because 'debug generate dump' is not a valid Palo Alto CLI command; debug commands are used for real-time troubleshooting, not generating static tech support files. Option C is wrong because 'show tech-support' is a Cisco IOS command that displays output to the terminal but does not create a downloadable file on Palo Alto firewalls. Option D is wrong because 'request tech-support' is not a valid Palo Alto command; the correct syntax uses 'generate' as the action verb for creating support files.

15
MCQeasy

A network administrator notices that traffic from a specific internal subnet is not being logged to the firewall's system logs despite log forwarding being configured. The firewall is running PAN-OS 10.1. Which configuration is most likely causing the issue?

A.The subnet is not in the 'Log Destination' list.
B.The traffic is being matched by a rule with 'Log at Session End' disabled.
C.Log forwarding profile is not applied to the security policy rule.
D.The firewall's management plane is overloaded.
AnswerB

If logging is disabled on the rule, no logs are created, so forwarding has no effect.

Why this answer

Option B is correct because in PAN-OS, a security policy rule must have 'Log at Session End' enabled to generate session-end logs. If this setting is disabled, the firewall will not log the traffic even if a log forwarding profile is applied. Since the administrator has confirmed log forwarding is configured, the most likely cause is that the specific rule matching the subnet's traffic has logging disabled.

Exam trap

The trap here is that candidates assume log forwarding configuration alone guarantees logs, overlooking the prerequisite that the security rule must have 'Log at Session End' enabled to generate the log entries that are then forwarded.

How to eliminate wrong answers

Option A is wrong because there is no 'Log Destination' list in PAN-OS; log forwarding is configured via log forwarding profiles, not a subnet-based destination list. Option C is wrong because the question states log forwarding is configured, so the profile is applied; the issue is that the rule itself is not generating logs to forward. Option D is wrong because a management plane overload would cause general logging delays or drops, not a selective absence of logs from a specific subnet while other traffic logs appear.

16
MCQhard

A network engineer needs to configure SNMP traps on a PA-5250 running PAN-OS 10.2 to alert when CPU usage exceeds 80% for more than 10 minutes. Which CLI command should be used to set this threshold?

A.set snmp-server trap cpu-threshold 80
B.show snmp-server trap
C.set snmp-server trap source-interface ethernet1/1
D.set snmp-server trap destination host 192.168.1.100 community public
AnswerA

This sets the CPU threshold for generating traps.

Why this answer

Option A is correct because the CLI command 'set snmp-server trap cpu-threshold 80' directly configures the CPU utilization threshold for SNMP trap generation on a Palo Alto Networks firewall running PAN-OS 10.2. When the CPU usage exceeds 80% for a sustained period (default 10 minutes), the firewall sends an SNMP trap to configured trap destinations. This command is specific to setting the threshold value, and the 10-minute duration is a fixed, non-configurable parameter in this PAN-OS version.

Exam trap

The trap here is that candidates often confuse the 'set snmp-server trap' command with subcommands for destinations or interfaces, failing to recognize that 'cpu-threshold' is a distinct parameter that must be set separately from trap receiver configuration.

How to eliminate wrong answers

Option B is wrong because 'show snmp-server trap' is a verification command that displays current SNMP trap configuration, not a configuration command to set a threshold. Option C is wrong because 'set snmp-server trap source-interface ethernet1/1' configures the source interface for outgoing SNMP traps, not the CPU threshold. Option D is wrong because 'set snmp-server trap destination host 192.168.1.100 community public' defines a trap receiver and its SNMP community string, but does not set the CPU threshold value.

17
Matchingmedium

Match each Palo Alto Networks product to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall for enterprise

Virtual firewall for cloud environments

Container firewall for Kubernetes

Cloud-delivered security for remote users

Extended detection and response for endpoints

Why these pairings

These are key products in the Palo Alto Networks portfolio.

18
MCQmedium

A company wants to forward logs from a firewall to a SIEM system with high reliability. Which log forwarding method ensures that logs are not lost if the SIEM is temporarily unreachable?

A.Email (SMTP) for each log.
B.Syslog over TCP with buffering enabled in the log forwarding profile.
C.Syslog over UDP with a log forwarding profile.
D.Syslog over SSL without optional buffering.
AnswerB

TCP provides reliable delivery, and buffering prevents loss during downtime.

Why this answer

Syslog over TCP with buffering enabled in the log forwarding profile ensures reliable delivery because TCP provides acknowledgment and retransmission of lost segments, while the buffering mechanism stores logs locally on the firewall when the SIEM is unreachable and retransmits them once connectivity is restored. This combination prevents log loss during temporary network or SIEM outages.

Exam trap

The trap here is that candidates often assume Syslog over TCP alone guarantees delivery, but without buffering enabled in the log forwarding profile, the firewall will drop logs if the TCP connection fails, making buffering the key differentiator for reliability.

How to eliminate wrong answers

Option A is wrong because email (SMTP) is not designed for high-volume, real-time log forwarding and can easily fail or queue indefinitely without reliable retransmission guarantees. Option C is wrong because Syslog over UDP is connectionless and inherently unreliable; logs are silently dropped if the SIEM is unreachable, with no buffering or retransmission. Option D is wrong because Syslog over SSL without optional buffering provides encryption but no local storage or retransmission mechanism; if the SIEM is unreachable, the TCP connection fails and logs are lost without buffering.

19
MCQeasy

An administrator needs to generate a report showing all traffic denied by the firewall over the past week. Which type of report in the firewall web interface should be used?

A.Application Report
B.Threat Report
C.URL Filtering Report
D.Traffic Report
AnswerD

Traffic Report allows filtering by action (allow/deny) to show denied traffic.

Why this answer

Option C is correct because the Traffic Report can be filtered by action (e.g., deny) to show denied traffic. Options A, B, and D are incorrect as they focus on specific categories like applications, threats, or URL filtering.

20
MCQmedium

An engineer notices a decrease in network performance and wants to verify if a specific security policy is being triggered frequently. Which CLI command will show the hit count for a specific policy?

A.show security-rulebase
B.show rule-usage
C.show running security-policy hit-count
D.show running security-policy
AnswerC

This shows hit counts for all security policies, and can be filtered to a specific rule.

Why this answer

Option C is correct because the 'show running security-policy hit-count' command displays the hit count for each security policy rule, allowing the engineer to identify which specific policy is being triggered frequently. This command directly shows the number of times a rule has matched traffic, which is essential for diagnosing performance issues related to policy usage.

Exam trap

The trap here is that candidates may confuse 'show running security-policy' (which shows configuration) with 'show running security-policy hit-count' (which shows usage statistics), or they may incorrectly recall non-existent commands like 'show rule-usage' from other vendors.

How to eliminate wrong answers

Option A is wrong because 'show security-rulebase' is not a valid CLI command on Palo Alto Networks firewalls; the correct command to view the rulebase is 'show running security-policy'. Option B is wrong because 'show rule-usage' is not a valid command; the correct command to view rule usage statistics is 'show running security-policy hit-count'. Option D is wrong because 'show running security-policy' displays the current security policy configuration but does not include hit counts, so it cannot show how frequently a policy is triggered.

21
MCQmedium

A company has a firewall with multiple virtual systems (vsys). The administrator wants to delegate management of one vsys to a junior administrator, allowing them to configure security policies but not access system settings or other vsys. Which administrative role should be assigned?

A.Virtual System Admin
B.Superuser
C.Device Admin
D.Role-Based Admin
AnswerA

Vsys admin can be scoped to a specific vsys with limited permissions.

Why this answer

A Virtual System Admin role is specifically designed to delegate administrative access to a single virtual system (vsys) within a Palo Alto Networks firewall. This role allows the junior administrator to configure security policies and objects within their assigned vsys, while explicitly preventing access to system settings, device-level configurations, or other virtual systems. This matches the requirement exactly.

Exam trap

The trap here is that candidates often confuse 'Virtual System Admin' with 'Role-Based Admin', thinking they need to create a custom role, when the predefined Virtual System Admin role is the exact fit for delegating per-vsys management.

How to eliminate wrong answers

Option B (Superuser) is wrong because a Superuser has full read-write access to all virtual systems and all system settings, which would grant the junior administrator access to other vsys and device-level configurations, violating the requirement. Option C (Device Admin) is wrong because a Device Admin has full access to the device's system settings and all virtual systems, again providing broader access than intended. Option D (Role-Based Admin) is wrong because it is a generic category for custom roles, but the specific predefined role that matches the requirement is Virtual System Admin; assigning a custom Role-Based Admin would require manually creating a role with the exact permissions, which is less direct and not the standard answer for this scenario.

22
MCQeasy

A firewall administrator needs to ensure that traffic matching a specific security policy rule is always logged to Panorama even if the local firewall's management plane is temporarily unreachable. Which configuration should be used?

A.Set the rule to 'Log at Session End' and use 'Log Forwarding' with 'Enhanced Application Logging'.
B.Configure a 'Log Forwarding' profile with 'Buffering' enabled.
C.Configure 'Log Forwarding' with 'Override' to send logs directly to a syslog server.
D.Use the 'High Availability' feature with active/passive.
AnswerB

Buffering queues logs locally and sends them when connectivity with Panorama is restored.

Why this answer

Option C is correct because enabling 'Buffering' in the log forwarding profile stores logs locally when Panorama is unreachable and forwards them once connectivity is restored. Options A and B do not address unreachability. Option D (syslog) is independent but still requires connectivity.

23
MCQmedium

An engineer is troubleshooting a security policy that is not matching traffic as expected. The traffic is from source IP 10.1.1.10 to destination 172.16.0.1 port 443. The policy has source zone 'Internal', destination zone 'DMZ', source address '10.1.1.0/24', destination address '172.16.0.0/24', application 'ssl'. The firewall shows the traffic hitting a different rule. What is the most likely cause?

A.The source zone is incorrectly assigned; traffic is coming from a different zone.
B.The destination address is not in the specified subnet due to NAT.
C.The application 'ssl' does not match because the traffic is actually using TLS 1.3.
D.The traffic is being matched by an earlier rule with broader criteria.
AnswerD

Rule order matters; a prior rule with broader source/destination/application may match before the intended rule.

Why this answer

The most likely cause is that an earlier rule in the security policy rulebase matches the traffic before the intended rule. Palo Alto Networks firewalls evaluate security rules in sequential order from top to bottom, and the first rule that matches all criteria (source/destination zone, source/destination address, application, etc.) is applied. If a rule with broader criteria (e.g., any/any or a less specific application) appears earlier, it will match the traffic, preventing the intended rule from being hit.

Exam trap

Palo Alto Networks often tests the misconception that application signatures are version-specific (e.g., TLS 1.3 vs. SSL), but Palo Alto Networks uses generic application signatures that match all versions of a protocol, so candidates incorrectly eliminate the correct answer due to a misunderstanding of application identification.

How to eliminate wrong answers

Option A is wrong because the traffic is from source IP 10.1.1.10, which is within the 10.1.1.0/24 subnet, and the policy specifies source zone 'Internal'; if the zone were incorrectly assigned, the traffic would not match any rule with that zone, but the firewall shows it hitting a different rule, not failing to match. Option B is wrong because NAT does not change the destination address in the security policy match; the firewall evaluates the pre-NAT destination address (172.16.0.1) against the destination address object (172.16.0.0/24), and 172.16.0.1 is within that subnet, so this is not a mismatch. Option C is wrong because the application 'ssl' in Palo Alto Networks is a generic signature that matches SSL/TLS traffic regardless of the TLS version (e.g., TLS 1.3), as the firewall identifies the application by protocol behavior and handshake patterns, not by the specific TLS version number.

24
MCQmedium

After upgrading a PA-5250 from PAN-OS 9.1 to PAN-OS 10.1, the firewall fails to establish IPsec VPN tunnels with remote peers. The crypto profiles and IKE gateways appear unchanged. What is the most likely cause?

A.The default SSL/TLS service profile changed, affecting management access.
B.The IKEv2 default configuration now requires a pre-shared key minimum length of 32 characters.
C.The upgrade reset the IKE gateway configuration to default.
D.The firewall's management IP address changed during the upgrade.
AnswerB

PAN-OS 10.1 enforces a minimum PSK length of 32 characters for IKEv2; shorter keys cause negotiation failure.

Why this answer

In PAN-OS 10.1, the default minimum pre-shared key length for IKEv2 was increased to 32 characters. If the existing PSK is shorter than 32 characters, the firewall will reject it during IKE negotiation, causing the tunnel to fail even though the crypto profiles and IKE gateways appear unchanged. This is a common compatibility issue when upgrading from PAN-OS 9.1, which had no such minimum length requirement.

Exam trap

The trap here is that candidates assume unchanged crypto profiles and IKE gateways mean no configuration issue, overlooking the silent enforcement of a new default PSK length requirement introduced in PAN-OS 10.1.

How to eliminate wrong answers

Option A is wrong because the default SSL/TLS service profile affects management access (e.g., web UI, API), not IPsec VPN tunnel establishment, which is a data-plane function. Option C is wrong because the upgrade does not reset IKE gateway configurations to default; the configuration is preserved during a standard upgrade. Option D is wrong because the management IP address is a separate configuration that does not change during an upgrade unless explicitly modified, and it does not impact IPsec VPN tunnel establishment with remote peers.

25
MCQhard

Two firewalls in an active/passive HA configuration are not synchronizing sessions. The 'show high-availability state' command shows both peers as 'active' and 'passive' correctly, but session synchronization is not working. What is the most likely cause?

A.The HA3 link is not configured or is misconfigured.
B.The HA2 link is down.
C.The passive firewall does not have management API access.
D.The logging settings on both firewalls are different.
AnswerA

Session synchronization requires a properly configured HA3 link (packet forwarding link).

Why this answer

In an active/passive HA configuration, session synchronization occurs over the HA2 link (control link) and HA3 link (packet forwarding link). The HA3 link is specifically responsible for synchronizing session tables between the peers. If the HA3 link is not configured or is misconfigured, session synchronization will fail even though the HA state shows 'active' and 'passive' correctly.

The HA2 link handles keepalives and configuration sync, not session sync, so its status being up does not guarantee session synchronization.

Exam trap

The trap here is that candidates often confuse the HA2 link (control link) with the HA3 link (session sync link), assuming that if HA state is correct and HA2 is up, session synchronization must also be working.

How to eliminate wrong answers

Option B is wrong because the HA2 link is used for control traffic (keepalives, configuration sync) and not for session synchronization; a down HA2 link would cause HA state issues, not just session sync failure. Option C is wrong because management API access on the passive firewall is unrelated to session synchronization; it controls administrative access, not data-plane session replication. Option D is wrong because differing logging settings between firewalls do not impact session synchronization; logging is a separate function from session table replication.

26
Multi-Selectmedium

A network engineer is troubleshooting high latency on the firewall. Which THREE commands from the CLI should be used to identify potential bottlenecks? (Choose three.)

Select 3 answers
A.show running resource-monitor
B.show session info
C.show log traffic
D.show system resources
E.show counter global
AnswersA, D, E

This command shows dataplane resource utilization, useful for identifying CPU/memory bottlenecks.

Why this answer

Options B, C, and D are correct. 'show running resource-monitor' displays CPU and memory usage per dataplane, 'show counter global' shows packet drop counters, and 'show system resources' provides overall CPU/memory/disk usage. Option A is incorrect because 'show session info' shows active sessions but not performance bottlenecks. Option E is incorrect because 'show log traffic' is for historical logs, not real-time troubleshooting.

27
MCQeasy

A user complains that they cannot access internal resources via GlobalProtect. The firewall shows the user is connected with an IP address from the tunnel pool. Which log type should the administrator check first to determine if traffic is being allowed or denied?

A.System logs.
B.Traffic logs.
C.Threat logs.
D.User-ID logs.
AnswerB

Traffic logs record every session, including action (allow/deny), source/destination, and application.

Why this answer

The administrator should check Traffic logs first because they record every session attempt, showing whether traffic was allowed or denied based on security policies. Since the user is connected with a tunnel IP, the issue is likely policy-based, and Traffic logs provide the source, destination, and action (allow/deny) for each session, directly revealing if the traffic is being blocked.

Exam trap

The trap here is that candidates may think User-ID logs (Option D) are relevant because the user is connected, but User-ID logs only show authentication mappings, not traffic policy decisions.

How to eliminate wrong answers

Option A is wrong because System logs record system-level events (e.g., process restarts, configuration changes) and do not show per-session allow/deny decisions for user traffic. Option C is wrong because Threat logs capture only traffic that matches intrusion prevention or antivirus signatures, not general allow/deny decisions. Option D is wrong because User-ID logs map usernames to IP addresses but do not indicate whether traffic is permitted or denied by security policies.

28
MCQmedium

An organization is migrating from a legacy firewall to a Palo Alto Networks firewall and needs to ensure that all existing application-based policies are accurately replicated. The engineer exports the configuration from the old firewall and imports it using the 'Config Audit' feature. After import, the engineer notices that many security policy rules have the application set to 'any' instead of the specific applications from the old firewall. What is the most likely reason?

A.The old firewall did not support application identification, so the import process defaulted to 'any'.
B.The import process uses a different naming convention for applications, causing a mismatch.
C.The administrator did not correctly map the old firewall's application signatures to Palo Alto Networks application IDs during the migration.
D.The 'Config Audit' tool does not import applications; it only identifies rule conflicts.
AnswerC

Without proper mapping, the import process cannot translate legacy app signatures to PAN-OS app IDs, resulting in 'any'.

Why this answer

Option C is correct because the 'Config Audit' feature in Palo Alto Networks firewalls compares rule configurations but does not automatically translate third-party application signatures into Palo Alto Networks App-IDs. The administrator must manually map the old firewall's application definitions to the correct App-IDs during migration; otherwise, the imported rules default to 'any' for the application field, as the system cannot infer the intended application without explicit mapping.

Exam trap

The trap here is that candidates assume the 'Config Audit' feature automatically converts all legacy application definitions to Palo Alto Networks App-IDs, when in fact it only audits configuration differences and requires manual mapping for application-specific policies.

How to eliminate wrong answers

Option A is wrong because the question states the old firewall had application-based policies, implying it supported application identification; the import process defaults to 'any' due to missing mapping, not because the old firewall lacked app-ID support. Option B is wrong because while naming conventions may differ, the 'Config Audit' tool does not attempt to match or translate application names; it simply imports the rule structure, leaving applications as 'any' if no mapping is provided. Option D is wrong because the 'Config Audit' tool does import and compare rule configurations, including applications, but it cannot automatically map third-party application signatures to Palo Alto Networks App-IDs without manual intervention.

29
Multi-Selecthard

Which THREE are common causes of high CPU utilization on a Palo Alto Networks firewall? (Choose three.)

Select 3 answers
A.Large number of dynamic IP address group lookups.
B.Inefficient security policy rules causing excessive session processing.
C.Insufficient disk space on the log partition.
D.Excessive logging due to very frequent session matches.
E.BGP prefix flapping causing route recalculations.
AnswersA, B, D

Dynamic group lookups can be CPU intensive.

Why this answer

A large number of dynamic IP address group lookups can cause high CPU utilization because each lookup requires the firewall to evaluate the dynamic group membership in real time, often involving LDAP or other directory queries. This process is computationally expensive, especially when policies trigger frequent lookups for every new session, leading to sustained CPU spikes.

Exam trap

The trap here is that candidates often confuse disk space issues (Option C) with CPU utilization, but disk space problems affect storage and logging, not CPU directly, while BGP flapping (Option E) is a control-plane issue that is less commonly cited as a top cause of high CPU in Palo Alto Networks documentation.

30
MCQhard

A financial institution operates a pair of PA-5260 firewalls in active/active HA using Virtual Wire mode. They are experiencing intermittent asymmetric traffic flows causing session setup failures. The firewall logs show sessions being created with a one-sided flow. Which configuration change is most likely to resolve this issue?

A.Enable symmetric return on the virtual wire interfaces.
B.Disable session offloading between the HA peers.
C.Set the HA timer to asymmetric routing active/passive mode.
D.Configure session distribution to use IP hash instead of round-robin.
AnswerD

IP hash ensures all packets of a session go to the same firewall, preventing asymmetric flow issues.

Why this answer

Option B is correct because configuring session distribution to use IP hash (based on source/destination IP) ensures that all packets for a session go to the same firewall, avoiding asymmetry. Option A is incorrect because 'symmetric return' is not a standard option in Virtual Wire mode. Option C is incorrect because disabling session offloading would prevent the firewalls from sharing session information, exacerbating the problem.

Option D is incorrect because there is no such HA timer setting for asymmetric routing.

31
Multi-Selecthard

A security engineer is investigating a potential data exfiltration incident. The firewall logs show that a host in the DMZ made outbound connections to multiple external IPs on port 443, but the traffic was allowed. The engineer wants to review detailed session information including the amount of data transferred and the application used. Which three log types or tools should the engineer use? (Choose three.)

Select 3 answers
A.App-ID logs.
B.Packet capture feature.
C.System logs.
D.URL filtering logs.
E.Traffic logs.
AnswersA, B, E

App-ID logs show the application identified for each session.

Why this answer

App-ID logs (option A) are correct because they provide detailed information about the application associated with each session, which is critical for identifying the specific application used in the outbound connections. Traffic logs (option E) are correct because they record session-level details including source/destination IPs, ports, and the amount of data transferred (bytes sent/received). The packet capture feature (option B) is correct because it allows the engineer to capture and inspect the actual packets for forensic analysis, revealing the exact data payload and application behavior.

Exam trap

The trap here is that candidates often confuse URL filtering logs with traffic logs, thinking URL filtering provides session data transfer details, but URL filtering only logs URL categories and not byte counts or application identity.

32
Multi-Selecthard

Which TWO of the following are valid considerations when configuring Log Forwarding for Panorama? (Choose two.)

Select 2 answers
A.Log forwarding must use TLS encryption
B.Log forwarding requires an external syslog server
C.Log forwarding supports sending logs to multiple destinations
D.Log forwarding can be configured per security policy rule
E.Log forwarding can only send logs to a single Panorama collector
AnswersC, D

Destinations can include Panorama, syslog, email, etc.

Why this answer

Log Forwarding in Panorama supports sending logs to multiple destinations, including syslog servers, email, SNMP traps, and Panorama collectors. This flexibility allows administrators to distribute logs for redundancy, compliance, or analysis across different systems. Option C is correct because Panorama can forward logs to multiple destinations simultaneously, not just one.

Exam trap

The trap here is that candidates assume Log Forwarding is limited to a single destination or requires a syslog server, but Panorama actually supports multiple destinations and various log types without mandating syslog or TLS.

33
Multi-Selectmedium

Which THREE steps should be performed when upgrading an active/passive HA pair to a new PAN-OS version?

Select 3 answers
A.Make the passive firewall active after its upgrade, then upgrade the original active.
B.Upgrade both firewalls at the same time to minimize downtime.
C.Suspend the HA pair's synchronization.
D.Upgrade the passive firewall first.
E.Reconfigure the HA3 link after the upgrade.
AnswersA, C, D

After upgrading the passive, perform a failover so it becomes active, then upgrade the original active.

Why this answer

Option A is correct because in an active/passive HA pair, the recommended upgrade procedure is to first suspend HA synchronization (Option C), then upgrade the passive firewall (Option D), and finally make the upgraded passive firewall active (Option A) before upgrading the original active firewall. This ensures minimal downtime and maintains session state by leveraging the HA3 link for stateful failover. The correct three steps are A, C, and D.

Exam trap

The trap here is that candidates often assume both firewalls must be upgraded simultaneously to minimize downtime, but the correct approach is a sequential upgrade with a controlled failover to maintain session state and redundancy.

34
MCQmedium

A network administrator is troubleshooting an issue where HTTPS traffic to a particular website is being blocked. The security policy rule allows SSL traffic to that website. The firewall logs show the traffic is being blocked by the URL Filtering profile. The URL Filtering profile is set to allow the category 'Business-and-Economy'. The website belongs to the category 'Shopping'. What action should the administrator take?

A.Change the security policy rule to use a different URL Filtering profile.
B.Disable URL Filtering for that traffic flow.
C.Create a custom URL category for the website and set it to allow.
D.Add the website's IP address to the URL Filtering exclude list.
AnswerC

This precisely allows the specific website while maintaining the overall URL filtering profile.

Why this answer

Option C is correct because creating a custom URL category for the specific website and setting it to allow is the best practice to override the category-based blocking without loosening security. Option A is incorrect because changing the profile might affect other traffic. Option B is incorrect because IP-based exclude lists are not recommended as websites can change IPs.

Option D is incorrect because disabling URL Filtering entirely is too broad.

35
MCQeasy

An organization has a pair of PA-5250 firewalls in active/passive HA. During a maintenance window, the active firewall is rebooted. After the reboot, the firewall that was passive becomes active and passes traffic. However, the other firewall remains in a non-functional state and shows 'unknown' as HA state. The administrator checks the HA configuration and finds both firewalls have the same HA settings. What is the most likely issue?

A.The backup firewall has a different software version.
B.The floating IP addresses are not configured.
C.The HA keepalive timer is too short.
D.The HA control link is down or misconfigured.
AnswerD

A functional control link is essential for HA communication; if down, the peer shows 'unknown'.

Why this answer

Option B is correct because if the HA control link is down or misconfigured, the firewalls cannot exchange heartbeats, causing the HA state to be 'unknown'. Option A is incorrect because a short keepalive timer would cause flapping, not 'unknown'. Option C is incorrect because different software versions would prevent HA formation.

Option D is incorrect because floating IPs are not related to HA state.

36
MCQeasy

A network administrator notices that traffic from a specific IP address is being blocked unexpectedly. The traffic is allowed in the security policy. What is the most likely cause?

A.The source zone is incorrectly assigned.
B.The application override is misconfigured.
C.The profile settings for the security policy are blocking the traffic.
D.The IP address is on a block list in the External Dynamic List (EDL).
AnswerD

An EDL block list overrides security policy rules.

Why this answer

Option A is correct because an External Dynamic List (EDL) configured with a block list can override the security policy and block traffic. Options B, C, and D are less likely causes for this specific symptom.

37
Multi-Selecteasy

An administrator needs to configure a firewall to send email alerts when a specific security policy rule is triggered. Which two configuration elements are required? (Choose two.)

Select 2 answers
A.A 'Security Policy' rule with 'Log at Session End' enabled.
B.An 'Email Server' profile configured with SMTP server details.
C.A 'Log Forwarding' profile that includes email notification.
D.A 'Panorama' template to push the configuration.
E.A 'User-ID' agent to identify users.
AnswersB, C

This profile is referenced by the log forwarding profile to send the email.

Why this answer

Options A and B are correct. A log forwarding profile defines the action (email), and an email server profile defines the SMTP server details. The security policy rule itself also needs logging enabled, but the question specifically asks for elements to send email alerts, which are the log forwarding profile and the email server profile.

38
MCQhard

Refer to the exhibit. The firewall is active in an HA pair, but the peer is non-functional. The HA2 link is down. What is the most likely cause of the peer being non-functional?

A.The HA3 link is down
B.The HA2 link is down, preventing session synchronization
C.The peer firewall is running a different PAN-OS version
D.The HA1 link is down
AnswerC

Version mismatch causes non-functional state.

Why this answer

Option C is correct because when an HA pair detects a version mismatch between peers, the firewall with the higher PAN-OS version will not form an active/passive HA state and will remain non-functional (or in a 'non-functional' state) to prevent configuration or session incompatibilities. The HA2 link being down is a separate issue that affects session synchronization but does not cause the peer to be completely non-functional; the peer can still operate with reduced HA capabilities. A version mismatch is a critical condition that prevents HA peering entirely, leading to one peer appearing non-functional.

Exam trap

The trap here is that candidates often assume a down HA2 link directly causes a peer to be non-functional, but in reality, HA2 only affects session sync, not the firewall's ability to operate or form an HA pair, whereas a version mismatch is a hard blocker for HA formation.

How to eliminate wrong answers

Option A is wrong because the HA3 link is used for packet forwarding (active/active HA) and is not required for basic HA peering or state determination; its absence would not cause a peer to be non-functional. Option B is wrong because the HA2 link being down only prevents session synchronization (stateful failover), but the peer can still function as a standalone firewall and participate in HA heartbeats over HA1; it does not render the peer non-functional. Option D is wrong because the HA1 link is the control link used for heartbeats and configuration synchronization; if it were down, the firewalls would not detect each other, but the question states the HA2 link is down, not HA1, and the peer being non-functional is attributed to a version mismatch, not a missing HA1 link.

39
MCQmedium

An administrator is troubleshooting high CPU usage on a PA-5250 firewall. The CPU usage spikes every 5 minutes. Which CLI command should be used to identify the process causing the spike?

A.show session all
B.show dataplane
C.show running resource-monitor
D.show system resources
AnswerC

Shows per-process CPU usage over time.

Why this answer

The 'show running resource-monitor' command displays real-time CPU and memory usage per process on Palo Alto Networks firewalls. Since the CPU spikes every 5 minutes, this command can identify which specific process (e.g., management-plane daemon, dataplane task) is consuming the most CPU during those intervals, enabling targeted troubleshooting.

Exam trap

The trap here is that candidates often confuse 'show system resources' (overall utilization) with 'show running resource-monitor' (per-process breakdown), assuming the former is sufficient for process-level diagnosis when it only shows aggregate CPU and memory percentages.

How to eliminate wrong answers

Option A is wrong because 'show session all' lists active sessions but does not provide per-process CPU usage data. Option B is wrong because 'show dataplane' shows dataplane statistics and packet processing info, not management-plane process CPU consumption. Option D is wrong because 'show system resources' gives overall system CPU and memory usage but lacks the granular per-process breakdown needed to pinpoint the specific process causing the spike.

40
MCQmedium

A team uses the Panorama API to generate custom reports. They need to retrieve a list of all rules that have logging at session end enabled. Which API endpoint should be used?

A.GET /api/?type=config&action=get&xpath=/config/devices/entry/vsys/entry/rulebase/security/rules
B.GET /api/?type=op&cmd=<show><log></log></show>
C.GET /api/?type=config&action=get&xpath=/config/shared/log-settings
D.GET /api/?type=report&reporttype=predefined
AnswerA

This xpath retrieves security rules, including the log-end attribute.

Why this answer

The 'SecurityRule' object in the API provides access to security policy rules, including logging settings. 'LogSetting' is for log forwarding profiles. 'DeviceGroup' is for device group hierarchy. 'Report' is for running predefined reports.

41
Multi-Selectmedium

Which THREE are valid methods to collect logs from a firewall to Panorama? (Choose three.)

Select 3 answers
A.Configuring the firewall to send syslog to Panorama's log collector.
B.Using a dedicated Log Collector (in Panorama 10.0+).
C.Using the Panorama collector agent on the Panorama server.
D.Using the REST API to pull logs from the firewall to Panorama.
E.Logging to a remote syslog server and importing CSV files to Panorama.
AnswersA, B, C

Firewalls can forward logs via syslog to Panorama's collector.

Why this answer

Option A is correct because a firewall can be configured to send syslog data directly to Panorama's log collector, which is a standard method for centralized logging. This leverages the syslog protocol to forward logs, allowing Panorama to aggregate and analyze them without requiring additional infrastructure.

Exam trap

The trap here is that candidates may confuse the REST API's management capabilities with log collection, or assume CSV import is a valid method, when in fact Panorama only supports real-time log forwarding via syslog or dedicated collectors.

42
MCQmedium

A firewall is dropping traffic that should be allowed. The security policy appears correct. An administrator checks the session table and notices the session state is 'CLOSE'. What is the most likely cause of the traffic being dropped?

A.The server is sending a FIN/RST prematurely due to application layer issues.
B.A deny all security policy is blocking the traffic.
C.Asymmetric routing is causing the session to be torn down.
D.Packet buffer exhaustion on the firewall is causing drops.
AnswerA

A CLOSE state indicates a normal termination, often due to FIN or RST from one side.

Why this answer

Option C is correct because a session in CLOSE state indicates the firewall has already processed and closed the session, often due to a FIN/RST received. This could happen if the server closes the connection prematurely due to a mismatch in application detection or timeout. Option A is wrong because a deny policy would show a different drop reason.

Option B is wrong because asymmetric routing would show a different session state (e.g., SYN_SENT). Option D is wrong because packet buffer exhaustion would cause drops across all traffic, not specific sessions.

43
MCQeasy

An administrator wants to see only the candidate configuration changes that have not yet been committed. Which CLI command should be used?

A.show configuration running
B.show configuration sessions all
C.show configuration sessions changes
D.show configuration candidate
AnswerC

This displays only the uncommitted changes.

Why this answer

The 'show configuration sessions changes' command displays the uncommitted candidate configuration changes for the current administrative session. This is the correct command because it specifically shows only the modifications that have been made to the candidate config but not yet committed to the running configuration on a Palo Alto Networks firewall.

Exam trap

The trap here is that candidates confuse 'show configuration candidate' (which is not a valid command) with the correct 'show config candidate' command, or they mistakenly think 'show configuration running' or 'show configuration sessions all' will show uncommitted changes, when in fact only 'show configuration sessions changes' provides the diff of pending modifications.

How to eliminate wrong answers

Option A is wrong because 'show configuration running' displays the currently active running configuration, not the uncommitted candidate changes. Option B is wrong because 'show configuration sessions all' lists all active configuration sessions and their metadata, but does not show the actual configuration changes. Option D is wrong because 'show configuration candidate' is not a valid CLI command on Palo Alto Networks firewalls; the correct command to view the entire candidate configuration is 'show config candidate' (without 'uration'), but this shows the full candidate config, not just the uncommitted changes.

44
MCQmedium

Refer to the exhibit. Which SSL protocol version is blocked as per this decryption profile?

A.TLS 1.1
B.TLS 1.0
C.TLS 1.3
D.TLS 1.2
AnswerA

The profile explicitly blocks TLS 1.1.

Why this answer

The decryption profile in the exhibit shows 'TLS 1.1' explicitly selected under 'Block SSL/TLS Versions,' meaning any session attempting to negotiate TLS 1.1 will be blocked. This is a direct configuration setting in Palo Alto Networks firewalls where you can selectively block specific SSL/TLS protocol versions to enforce stronger cryptographic standards.

Exam trap

Palo Alto Networks often tests the ability to read the exhibit carefully—candidates may assume that because TLS 1.1 is a deprecated protocol, the question is about which version is allowed, or they might confuse the 'Block' list with the 'Allow' list, leading them to pick TLS 1.0 or TLS 1.2 as the blocked version.

How to eliminate wrong answers

Option B is wrong because TLS 1.0 is not selected in the exhibit; only TLS 1.1 is checked, so TLS 1.0 remains allowed unless explicitly blocked. Option C is wrong because TLS 1.3 is not listed in the block options (the exhibit only shows TLS 1.0, 1.1, and 1.2), and it is not selected. Option D is wrong because TLS 1.2 is not checked in the exhibit; it is allowed by default unless explicitly blocked.

45
MCQmedium

A firewall is configured with two ISPs for redundancy. The administrator wants to ensure that traffic from internal users is load-balanced across both links based on source IP. Which configuration method should be used?

A.Static routes with different metrics
B.Policy-Based Forwarding (PBF)
C.Path monitoring
D.ECMP with source IP hash
AnswerD

ECMP with source IP hash load-balances traffic across equal-cost paths.

Why this answer

D is correct because ECMP (Equal-Cost Multi-Path) with source IP hash enables the firewall to load-balance traffic across multiple equal-cost routes by hashing the source IP address, ensuring that all packets from the same source IP consistently use the same link. This method provides per-source-IP stickiness while distributing traffic across both ISPs, meeting the requirement for load balancing based on source IP.

Exam trap

The trap here is that candidates often confuse Policy-Based Forwarding (PBF) with load balancing, but PBF is for policy-based routing decisions, not for distributing traffic across equal-cost paths based on source IP hash.

How to eliminate wrong answers

Option A is wrong because static routes with different metrics create an active/passive failover scenario, not load balancing; traffic will only use the route with the lower metric unless it fails. Option B is wrong because Policy-Based Forwarding (PBF) is used for traffic steering based on policies (e.g., application, destination), not for load balancing based on source IP hash across equal-cost paths. Option C is wrong because path monitoring is a feature to detect link failures and trigger route changes, not a method for distributing traffic across multiple active links.

46
Multi-Selecteasy

Which TWO are required for SNMP monitoring of a Palo Alto Networks firewall? (Choose two.)

Select 2 answers
A.Enable SNMP on the firewall (set snmp-server enable).
B.Specify an SNMP trap destination.
C.Define an SNMP v3 user with authentication.
D.Create an SNMP trap profile for high CPU.
E.Configure an SNMP community string (set snmp-server community public).
AnswersA, E

The SNMP service must be enabled.

Why this answer

Option A is correct because SNMP monitoring requires the SNMP agent to be enabled on the firewall. The command 'set snmp-server enable' activates the SNMP service, allowing the firewall to respond to SNMP queries from a management station. Without this, no SNMP communication can occur regardless of other configurations.

Exam trap

The trap here is that candidates often confuse optional SNMP features (like traps or v3 authentication) with the mandatory prerequisites for basic SNMP monitoring, leading them to select unnecessary options like trap destinations or v3 users.

47
MCQhard

An administrator has applied the above configuration on a firewall. What will happen to traffic destined to TCP port 2525?

A.All traffic on TCP port 2525 will be classified as the application 'smtp'.
B.The firewall will perform deeper inspection to identify the application.
C.The traffic will be blocked because the application is unknown.
D.The traffic will be treated as generic TCP and passed without inspection.
AnswerA

The application override forces identification as SMTP.

Why this answer

Option A is correct because the firewall's application override configuration explicitly maps TCP port 2525 to the application 'smtp'. When an application override is applied, the firewall bypasses App-ID and classifies all traffic matching the specified port and protocol as the defined application, regardless of the actual payload. This means any traffic on TCP port 2525 will be treated as SMTP traffic for policy enforcement and inspection purposes.

Exam trap

The trap here is that candidates may assume the firewall always performs deep packet inspection to identify applications, but application override explicitly disables App-ID for the specified traffic, forcing a static classification.

How to eliminate wrong answers

Option B is wrong because when an application override is configured, the firewall does not perform deeper inspection to identify the application; it skips App-ID entirely and uses the static mapping. Option C is wrong because the traffic will not be blocked due to an unknown application; the override ensures it is classified as 'smtp', so it will be allowed or denied based on security policy rules referencing that application. Option D is wrong because the traffic is not treated as generic TCP; the application override forces it to be identified as 'smtp', which means it will be subject to any application-specific security policies and threat inspections.

48
MCQmedium

An administrator receives an alert that a firewall's disk usage is at 85%. The administrator wants to reduce disk usage by automatically deleting older log files. Which action should be taken?

A.Add an external disk to the firewall
B.Configure log export and auto-deletion in Log Settings
C.Disable logging for non-critical traffic
D.Manually delete logs from the CLI
AnswerB

Log Settings allow automatic deletion of old logs.

Why this answer

Option B is correct because the firewall's log settings allow administrators to configure automatic log export and auto-deletion policies. By enabling log export to an external server (e.g., syslog) and setting a retention period or disk usage threshold, the firewall will automatically purge older log files when disk usage reaches a specified limit, such as 85%. This directly addresses the need to reduce disk usage without manual intervention or disabling logging.

Exam trap

The trap here is that candidates may confuse 'adding external storage' (Option A) as a solution for disk usage, but the question specifically asks for automatic deletion of older logs, not just expanding capacity.

How to eliminate wrong answers

Option A is wrong because adding an external disk does not automatically delete older logs; it only provides additional storage, which may delay but not solve the underlying issue of log growth. Option C is wrong because disabling logging for non-critical traffic reduces visibility and is not a targeted method for managing disk usage; it also violates best practices for security monitoring. Option D is wrong because manually deleting logs from the CLI is a reactive, non-automated approach that requires ongoing administrative effort and does not provide a sustainable solution for automatic log rotation.

49
MCQeasy

A network administrator notices that traffic logs are not being sent to the external Syslog server. The log forwarding profile is configured correctly. Which CLI command should be used to verify the Syslog server connectivity from the firewall?

A.show log forwarding
B.show system setting
C.test syslog
D.ping <syslog_server_ip>
AnswerC

This command sends a test Syslog message to confirm reachability and configuration.

Why this answer

The 'test syslog' command is specifically designed to verify Syslog server connectivity from the firewall by sending a test message and confirming receipt. Even if the log forwarding profile is correctly configured, network issues or server unavailability can prevent logs from being sent, and this command directly tests the Syslog transport (UDP 514 or TCP 6514) without relying on other services.

Exam trap

The trap here is that candidates confuse basic network connectivity (ping) with application-layer service verification, assuming a successful ping means Syslog will work, but Syslog requires the specific port to be open and the service to be running.

How to eliminate wrong answers

Option A is wrong because 'show log forwarding' displays the log forwarding profile configuration (e.g., server IP, port, format) but does not actively test connectivity or send a test message. Option B is wrong because 'show system setting' shows general system parameters (e.g., hostname, time zone) and has no capability to test Syslog server reachability. Option D is wrong because 'ping' tests ICMP echo requests to the server IP, which only verifies basic network layer reachability; it does not confirm that the Syslog service (UDP/TCP port) is listening or that the firewall can send Syslog messages to it.

50
MCQmedium

What does the session state 'SYN_SENT' indicate about this traffic flow?

A.The session has been torn down by the server.
B.The firewall has sent a SYN packet and is waiting for a response.
C.The traffic is being dropped due to asymmetric routing.
D.The application has been identified as incomplete.
AnswerB

SYN_SENT indicates the firewall is in the process of opening a connection.

Why this answer

The SYN_SENT session state in a Palo Alto Networks firewall indicates that the firewall has sent a SYN packet to initiate a TCP three-way handshake and is awaiting a SYN-ACK response from the remote host. This state is part of the firewall's session setup process, where it tracks the TCP connection state machine to ensure proper traffic flow. It does not imply a teardown, asymmetric routing drop, or incomplete application identification.

Exam trap

The trap here is that candidates confuse SYN_SENT with a session teardown state or assume it indicates a problem like asymmetric routing, when in fact it is a normal transient state during TCP connection setup that only becomes problematic if it persists beyond the timeout.

How to eliminate wrong answers

Option A is wrong because a session torn down by the server would show states like FIN_WAIT, CLOSE_WAIT, or TIME_WAIT, not SYN_SENT, which is an initial handshake state. Option C is wrong because asymmetric routing typically causes sessions to be in a 'half-open' state or show as 'drop' due to security policy mismatch, not SYN_SENT; SYN_SENT is a normal transient state during connection establishment. Option D is wrong because application identification occurs after the TCP handshake completes and data is exchanged; SYN_SENT is too early in the flow for app-ID to be determined, and an 'incomplete' application would be flagged later, not at this stage.

51
MCQmedium

A company has configured User-ID with Active Directory polling. Some users cannot access resources even though their security policy rules appear correct. The administrator verifies that the User-ID agent is connected and polling. What additional step should the administrator take?

A.Restart the User-ID agent service.
B.Check the firewall's management plane CPU usage.
C.Ensure the firewall has a license for User-ID.
D.Verify that the user group mapping is correct.
AnswerD

Group mapping is critical for security policies based on user groups.

Why this answer

Option D is correct because even if the User-ID agent is connected and polling, the firewall may not have the correct group-to-user mappings. Without accurate group mapping, security policies that reference user groups will fail to match, causing access issues for users who are members of those groups. The administrator should verify the group mapping configuration in the User-ID agent or on the firewall to ensure users are properly associated with their groups.

Exam trap

The trap here is that candidates assume a connected and polling User-ID agent guarantees correct policy enforcement, overlooking the critical step of verifying group mapping accuracy, which is a common misconfiguration in Active Directory environments.

How to eliminate wrong answers

Option A is wrong because restarting the User-ID agent service is a generic troubleshooting step that does not address the root cause of incorrect group mapping; the agent is already connected and polling, so a restart would not fix mapping errors. Option B is wrong because checking the firewall's management plane CPU usage is relevant for performance issues, not for user authentication or group mapping problems; high CPU would not prevent users from accessing resources if policies are correct. Option C is wrong because User-ID functionality does not require a separate license; it is included with the firewall's base subscription (e.g., Threat Prevention or URL Filtering), so a missing license is not the issue here.

52
Multi-Selecteasy

Which TWO methods can be used to monitor traffic passing through a Palo Alto Networks firewall?

Select 2 answers
A.Use the show session all command.
B.Enable config drift monitoring.
C.Review traffic logs under Monitor > Traffic.
D.Configure a packet capture on the dataplane.
E.Application Command Center (ACC)
AnswersC, E

Traffic logs provide detailed information on each session.

Why this answer

Option C is correct because the Monitor > Traffic log is the primary GUI-based method for reviewing detailed session logs, including source/destination IPs, ports, applications, and actions (allow/deny). Option E is correct because the Application Command Center (ACC) provides a high-level, visual dashboard for monitoring traffic patterns, top applications, and threats in near real-time, aggregating data from traffic and threat logs.

Exam trap

The trap here is that candidates often confuse the 'show session all' CLI command (which shows active sessions) with a method for monitoring traffic logs, when in fact it only displays ephemeral session state and does not provide historical or logged traffic data.

53
MCQhard

An organization is experiencing intermittent connectivity issues with their GlobalProtect remote access VPN. Users report that they can connect but after a random period (20-40 minutes) the tunnel drops and reconnects. The firewall has sufficient licensing. Which setting should be reviewed first?

A.GlobalProtect gateway 'Idle Timeout' setting.
B.The 'Disconnect on Network Change' option on the client.
C.The authentication timeout on the firewall.
D.'Tunnel Rekey' interval in the IPSec configuration.
AnswerA

A low idle timeout can disconnect sessions prematurely, and the client may reconnect automatically.

Why this answer

The 'Idle Timeout' setting on the GlobalProtect gateway controls how long an inactive session is allowed to remain connected. If this value is set too low (e.g., 20-30 minutes), the gateway will terminate the tunnel after that period of inactivity, causing the client to disconnect and immediately reconnect, which matches the described symptom of intermittent drops every 20-40 minutes. This is the most likely cause because the issue is periodic and consistent with a timeout-based disconnection, not a network change or authentication failure.

Exam trap

Palo Alto Networks often tests the distinction between 'Idle Timeout' and 'Session Timeout' on GlobalProtect gateways, and the trap here is that candidates confuse the 'Tunnel Rekey' interval (which is a seamless process) with a timeout that causes disconnection, or they incorrectly attribute the issue to client-side network change detection rather than a server-side idle timeout.

How to eliminate wrong answers

Option B is wrong because 'Disconnect on Network Change' is a client-side setting that drops the tunnel when the underlying network interface changes (e.g., switching from Wi-Fi to Ethernet), which would cause a single disconnection event, not a recurring 20-40 minute cycle. Option C is wrong because the authentication timeout on the firewall typically controls how long a user can remain authenticated before re-authentication is required, but this would affect the entire authentication session, not just the VPN tunnel, and would not cause a tunnel drop and immediate reconnect without re-authentication. Option D is wrong because 'Tunnel Rekey' interval in IPSec configuration controls how often the IPSec security associations are renegotiated; a rekey is a seamless process that does not drop the tunnel, and if misconfigured, it would cause a failure to rekey, not a periodic disconnect/reconnect pattern.

54
MCQhard

A firewall is experiencing slow performance. The administrator runs 'show counter global' and sees that the 'flow_aged_error_tcp_mss' counter is incrementing rapidly. What does this indicate?

A.The firewall is experiencing a SYN flood attack.
B.TCP sessions are being terminated due to MSS clamping issues.
C.There is a routing loop causing packet retransmission.
D.The firewall's hardware acceleration is failing.
AnswerB

This counter increments when the firewall actively closes sessions due to MSS mismatch.

Why this answer

The 'flow_aged_error_tcp_mss' counter increments when the firewall ages out TCP sessions due to TCP MSS (Maximum Segment Size) clamping issues. This occurs when the firewall modifies the MSS value in SYN packets to avoid fragmentation, but the actual path MTU is smaller than the clamped MSS, causing the session to be terminated prematurely. The rapid increment indicates that MSS clamping is misconfigured or the path MTU is inconsistent, leading to session failures.

Exam trap

The trap here is that candidates confuse 'flow_aged_error_tcp_mss' with general TCP session drops or attacks, but the counter specifically points to MSS clamping misconfiguration, not a flood or routing issue.

How to eliminate wrong answers

Option A is wrong because a SYN flood attack would be indicated by counters like 'flow_aged_error_tcp_syn_flood' or 'flow_tcp_syn_flood_drop', not by MSS-related aging errors. Option C is wrong because a routing loop causes packet retransmission and would be tracked by counters such as 'flow_aged_error_tcp_retransmit' or 'flow_tcp_retransmit', not by MSS-specific errors. Option D is wrong because hardware acceleration failure would manifest as high CPU usage or counters like 'flow_hw_accel_fail', not as TCP MSS aging errors.

55
MCQmedium

Refer to the exhibit. A network engineer notices that logs for this rule are not being forwarded to the external syslog server. The syslog server profile is configured correctly. What is the most likely cause?

A.The log-setting profile "syslog-forwarding-profile" is missing from the Log Forwarding profiles configuration.
B.The rule does not specify a destination zone.
C.The log-start is set to no, preventing session start logs from being generated.
D.The application web-browsing does not generate logs.
AnswerA

The referenced Log Forwarding profile must be defined to enable forwarding.

Why this answer

The rule references a log-setting profile named "syslog-forwarding-profile". If this profile is not defined under Objects > Log Forwarding, logs will not be forwarded regardless of the server profile configuration. Option A is correct.

Option B is incorrect because log-end is set to yes, which forwards session end logs. Option C is incorrect because destination zones are not required for logging. Option D is incorrect because web-browsing application does generate logs.

56
MCQeasy

A firewall is experiencing performance issues. The administrator wants to collect diagnostic data for TAC analysis. Which command generates a comprehensive support file?

A.debug system dump
B.show system resources
C.show log system
D.generate tech-support file
AnswerD

This creates a support file in the opt directory.

Why this answer

The 'generate tech-support file' command collects a comprehensive archive of system logs, configuration, resource utilization, and diagnostic data into a single file, which is the standard method for providing TAC with the necessary information to analyze performance issues. This command is specifically designed for troubleshooting and support scenarios, unlike other commands that only capture partial or real-time data.

Exam trap

Palo Alto Networks often tests the distinction between commands that provide real-time snapshots (like 'show system resources') versus commands that generate a comprehensive diagnostic archive (like 'generate tech-support file'), leading candidates to mistakenly choose a command that only shows current state rather than the full dataset needed for TAC analysis.

How to eliminate wrong answers

Option A is wrong because 'debug system dump' is not a valid command on Palo Alto Networks firewalls; the correct command for generating a core dump or debug data is 'debug system core-dump', and it does not produce a comprehensive support file. Option B is wrong because 'show system resources' only displays current CPU, memory, and disk usage in real-time, which is insufficient for TAC analysis as it lacks historical logs, configuration, and other diagnostic data. Option C is wrong because 'show log system' only displays system logs from the log buffer or disk, but it does not include configuration, resource snapshots, or other critical diagnostic information needed for a full TAC investigation.

57
MCQhard

During a Panorama upgrade from version 9.0 to 9.1, the administrator notices that the commit fails on one of the managed firewalls with the error: 'Mismatched content version'. What is the most likely cause?

A.The administrator forgot to push dynamic updates before the upgrade.
B.The firewall has an incompatible version of content updates installed.
C.The firewall is not licensed for the new Panorama version.
D.The firewall's software version is not compatible with Panorama 9.1.
AnswerB

Panorama 9.1 requires a minimum content version on managed firewalls; if not met, commit fails.

Why this answer

Option B is correct because the 'Mismatched content version' error occurs when the content (threat/application) version on the firewall is not compatible with the Panorama version being used. During a Panorama upgrade, the content version database format may change, and if the firewall has an older or incompatible content update installed, Panorama cannot validate the commit. This typically requires updating the firewall's content version to match the Panorama version's supported content database.

Exam trap

The trap here is that candidates often confuse 'content version mismatch' with 'PAN-OS version mismatch' or assume it is a licensing issue, but the error specifically points to the content database version incompatibility, not the base software version or license status.

How to eliminate wrong answers

Option A is wrong because forgetting to push dynamic updates before the upgrade would not cause a 'Mismatched content version' error; it might cause missing threat signatures or outdated content, but the error specifically indicates a version incompatibility, not a missing push. Option C is wrong because licensing issues for Panorama would typically result in license validation errors or feature restrictions, not a content version mismatch during commit. Option D is wrong because a firewall software version incompatibility with Panorama 9.1 would produce a 'Software version mismatch' or 'Incompatible PAN-OS version' error, not a content version mismatch; the error is specifically about content updates, not the base PAN-OS version.

58
MCQhard

A medium-sized enterprise has a PA-3220 firewall deployed in a data center with two ISPs (ISP-A and ISP-B) for redundancy. The firewall is configured with two virtual routers: VR-Trust for internal networks and VR-Untrust for external connections. Each ISP is connected to a separate physical interface (ethernet1/1 for ISP-A, ethernet1/2 for ISP-B) and both are placed in VR-Untrust with static default routes. The internal network uses 10.0.0.0/16. The firewall has a security policy that allows all outbound traffic from internal to external. Recently, users have reported that internet access is slow during peak hours. The administrator checks the dataplane CPU and sees it averaging 80-90%. The session count is 200,000 out of a maximum of 500,000. The administrator also notices that the firewall is using only ISP-A for all outbound traffic, even though both ISPs have equal bandwidth. The administrator wants to reduce CPU usage and utilize both ISP links. Which action should the administrator take?

A.Configure ECMP on VR-Untrust with source IP hash load balancing
B.Increase the maximum session limit to 1,000,000
C.Disable logging for all security policies
D.Configure the firewall to use active/passive ISP failover
AnswerA

ECMP distributes traffic across both ISPs, reducing CPU load.

Why this answer

The administrator needs to reduce CPU usage and utilize both ISP links. Configuring ECMP (Equal-Cost Multi-Path) on VR-Untrust with source IP hash load balancing allows the firewall to distribute outbound traffic across both ISP links based on the source IP hash, which spreads sessions across multiple paths without requiring policy-based forwarding. This reduces the load on a single link and can help lower CPU utilization by balancing the session processing load across both interfaces, as the firewall can use multiple next hops for the same destination.

Exam trap

The trap here is that candidates may confuse ECMP with active/passive failover, thinking that redundancy alone solves load issues, but ECMP is required for active-active load sharing across equal-cost paths.

How to eliminate wrong answers

Option B is wrong because increasing the maximum session limit to 1,000,000 does not address the high CPU usage or the underutilization of ISP-B; it only allows more sessions, which could worsen CPU load. Option C is wrong because disabling logging for all security policies may reduce CPU overhead slightly but does not solve the core issue of single-link usage and would compromise security monitoring. Option D is wrong because configuring active/passive ISP failover would keep only one ISP active at a time, failing to utilize both links for load sharing and not reducing CPU usage from the active link's overload.

59
MCQmedium

A large enterprise uses Panorama to manage 100+ firewalls. The security team wants to deploy a new security policy rule to block a specific application across all firewalls. The rule must be placed before the existing rules. The administrator creates the rule in the appropriate rulebase in the device group and pushes. However, the rule appears at the end of the rulebase on the managed firewalls. What is the most likely cause?

A.The firewall's local rulebase overrides the Panorama rule.
B.The rule was created in a pre-rulebase instead of post-rulebase.
C.The rule was added to a different device group.
D.The rule ordering was not adjusted in the device group.
AnswerD

The rule must be moved to the desired position using the Panorama rule ordering interface.

Why this answer

Option B is correct because when adding a rule via Panorama, the rule order must be explicitly set using drag-and-drop or ordering options. If the administrator did not adjust the order, the rule will be appended at the end. Option A is incorrect because pre-rules are placed before local rules, but ordering still applies.

Option C is incorrect because Panorama rules take precedence over local rules unless local rules are configured to override. Option D is incorrect because the rule was created in the correct device group (as stated).

60
MCQmedium

A security team is implementing SSL Decryption. They want to ensure that traffic to health-related websites is not decrypted due to privacy concerns. Which method should they use to exclude this traffic?

A.Use a source IP address exclusion list in the decryption policy.
B.Disable decryption for all sites that use certificate pinning.
C.Add the domain names to a custom URL category and create a no-decryption rule matching that category.
D.Configure a decryption profile to exclude traffic based on App-ID.
AnswerC

This approach precisely excludes specific sites from decryption while allowing decryption for others.

Why this answer

Option C is correct because Palo Alto Networks firewalls allow you to create custom URL categories containing specific domain names (e.g., health-related sites) and then reference that category in a decryption policy rule set to 'no-decrypt'. This ensures traffic matching those domains is excluded from SSL decryption, addressing privacy concerns without affecting other traffic.

Exam trap

The trap here is that candidates often confuse App-ID with URL filtering, thinking App-ID can selectively exclude traffic based on domain names, but App-ID operates at the application layer and cannot parse individual URLs within encrypted sessions without decryption.

How to eliminate wrong answers

Option A is wrong because source IP address exclusion lists in decryption policy only exclude traffic based on IP addresses, not domain names; health-related websites often use CDNs or load balancers with dynamic IPs, making IP-based exclusion impractical and incomplete. Option B is wrong because disabling decryption for all sites that use certificate pinning is a broad, security-weakening approach that would exclude many non-health sites and is not a precise method for excluding specific health-related domains. Option D is wrong because App-ID identifies applications (e.g., web-browsing, SSL) but cannot distinguish between specific domain names within an encrypted session; it cannot selectively exclude traffic to health-related websites based on URL or domain.

61
MCQmedium

The security policy rule shown in the exhibit has log-start and log-end both set to 'no', but a log-forwarding profile is configured. Which statement best describes the logging behavior for sessions matching this rule?

A.Sessions are logged only if the session duration exceeds a threshold.
B.Sessions are logged to Panorama immediately when the session starts.
C.Sessions are not logged because logging is disabled.
D.Sessions are logged to Panorama only when the session ends.
AnswerC

Without log-start or log-end, no logs are generated, so forwarding does nothing.

Why this answer

When both log-start and log-end are set to 'no' in a security policy rule, session logging is disabled regardless of any log-forwarding profile attached. The log-forwarding profile only specifies where logs are sent if logging is enabled; it does not override the explicit logging disable. Therefore, no session logs are generated for this rule.

Exam trap

The trap here is that candidates assume a log-forwarding profile overrides the log-start/log-end settings, but in PAN-OS, the profile only forwards logs that are already enabled by those flags.

How to eliminate wrong answers

Option A is wrong because there is no threshold-based logging behavior in PAN-OS; logging is either enabled or disabled per rule. Option B is wrong because log-start being set to 'no' means no logs are generated at session start, and the log-forwarding profile cannot enable logging on its own. Option D is wrong because log-end being set to 'no' prevents end-of-session logging, and the log-forwarding profile does not activate logging when logging is disabled.

62
MCQeasy

An administrator wants to view real-time CPU and memory usage on the firewall. Which CLI command should be used?

A.show system info
B.show routing route
C.show log system
D.show system resources
AnswerD

This shows CPU, memory, and disk usage in real-time.

Why this answer

The 'show system resources' command displays real-time CPU and memory utilization on a Palo Alto Networks firewall, including load averages, memory usage, and process-level details. This is the correct command for monitoring live resource consumption, as opposed to static system information or logs.

Exam trap

The trap here is that candidates confuse 'show system info' (static system details) with 'show system resources' (dynamic resource usage), as both commands start with 'show system' and seem related to system health.

How to eliminate wrong answers

Option A is wrong because 'show system info' displays static system information such as model, serial number, software version, and uptime, not real-time CPU or memory usage. Option B is wrong because 'show routing route' displays the routing table entries, which is unrelated to system resource monitoring. Option C is wrong because 'show log system' displays system event logs (e.g., configuration changes, alarms), not real-time CPU or memory metrics.

63
MCQhard

Refer to the exhibit. Based on the log entry, what action was taken on this traffic?

A.The traffic was allowed with a reset.
B.The action could not be determined.
C.The traffic was dropped.
D.The traffic was allowed and logged.
AnswerC

The action field explicitly states 'drop'.

Why this answer

The log entry shows the action field as 'drop', which indicates the firewall denied the traffic. In Palo Alto Networks firewalls, a 'drop' action means the packet was silently discarded without sending a TCP reset or ICMP unreachable message. Therefore, option C is correct.

Exam trap

Palo Alto Networks often tests the distinction between 'drop' and 'reset' actions, where candidates may mistakenly assume a dropped packet generates a TCP reset, but in Palo Alto firewalls, 'drop' is silent and 'reset' explicitly sends RST packets.

How to eliminate wrong answers

Option A is wrong because 'reset' would appear in the action field as 'reset-both', 'reset-client', or 'reset-server', not 'drop'. Option B is wrong because the action is explicitly logged as 'drop', so it can be determined. Option D is wrong because 'allow' would appear as 'allow' in the action field, and the traffic was dropped, not allowed.

64
MCQhard

A security team needs to capture traffic for forensic analysis of a specific application that uses non-standard ports. The administrator wants to capture packets on the firewall for that application only, without affecting performance. Which method should be used?

A.Set up a port mirror on the upstream switch
B.Create an application override policy
C.Configure a PCAP filter in the firewall's packet capture feature
D.Use tcpdump on the management interface
AnswerC

PCAP filter selectively captures traffic based on specified criteria.

Why this answer

The firewall's built-in packet capture feature with a PCAP filter allows the administrator to capture only traffic matching specific criteria (e.g., application, source/destination IP, port) directly on the data plane, without impacting overall performance. This is the correct method because it isolates the target application's traffic for forensic analysis without requiring external devices or altering traffic flow.

Exam trap

The trap here is that candidates confuse a management-plane tool (tcpdump on the management interface) with a data-plane capture, or they assume port mirroring is the only way to capture traffic, overlooking the firewall's native, performance-friendly PCAP filter feature.

How to eliminate wrong answers

Option A is wrong because port mirroring on an upstream switch copies all traffic from the monitored port, not just the specific application, and it introduces additional load on the switch and firewall, potentially affecting performance. Option B is wrong because an application override policy changes how the firewall identifies and handles the application (e.g., by specifying a custom port), but it does not capture or log packet-level data for forensic analysis. Option D is wrong because tcpdump on the management interface only captures traffic destined to or originating from the management plane, not the data-plane traffic flowing through the firewall's forwarding path.

65
Drag & Dropmedium

Arrange the steps to configure a new administrator account with role-based access.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Administrator accounts are created with credentials and roles.

66
MCQeasy

A firewall administrator needs to troubleshoot a connectivity issue where users in the 10.0.1.0/24 subnet cannot reach the internet. The administrator suspects a missing policy. Which tool within the firewall's web interface can be used to test which security policy will be matched for a given traffic flow?

A.Network > Virtual Routers
B.Policy Optimizer > Test Policy Match
C.Monitor > Logs > Traffic
D.Device > Setup > Management
AnswerB

Test Policy Match simulates traffic and returns matching policy.

Why this answer

Option B is correct because the 'Test Policy Match' tool under Policy Optimizer allows an administrator to simulate a specific traffic flow (source/destination IP, port, protocol) and see which security policy rule it matches. This directly addresses the need to verify whether a missing or misconfigured policy is blocking internet access for the 10.0.1.0/24 subnet.

Exam trap

The trap here is that candidates often confuse the 'Test Policy Match' tool with traffic logs (Option C), thinking logs can predict future policy matches, but logs only show past events and cannot simulate a flow that hasn't occurred yet.

How to eliminate wrong answers

Option A is wrong because Virtual Routers manage routing tables and next-hop decisions, not security policy matching; it cannot test which security rule applies to a traffic flow. Option C is wrong because Monitor > Logs > Traffic shows historical logs of already-processed traffic, not a proactive test of policy matching for a hypothetical flow. Option D is wrong because Device > Setup > Management configures administrative settings (e.g., management interfaces, authentication) and has no capability to simulate or test security policy matching.

67
MCQhard

A firewall is deployed in an Active/Passive HA pair. The administrator notices that the passive firewall is not synchronizing configuration changes. The 'show high-availability state' command shows the passive firewall in a 'non-functional' state. What is the most likely cause?

A.The HA2 link is down but HA1 is up
B.The session sync is disabled
C.The passive firewall has link monitoring enabled
D.The passive firewall is running a different PAN-OS version
AnswerD

Version mismatch causes non-functional state.

Why this answer

The passive firewall showing a 'non-functional' state in an Active/Passive HA pair most likely indicates a version mismatch. PAN-OS requires both firewalls in an HA pair to run the exact same software version for configuration synchronization to work. If the passive firewall is running a different PAN-OS version, it cannot properly interpret or apply the configuration from the active firewall, causing it to enter a non-functional state.

Exam trap

The trap here is that candidates often confuse 'non-functional' with connectivity issues (like a down HA link) or session sync settings, but the key is that configuration sync requires identical PAN-OS versions, and a mismatch manifests as a 'non-functional' state on the passive firewall.

How to eliminate wrong answers

Option A is wrong because if the HA2 link (used for session and configuration synchronization) is down but HA1 (heartbeat link) is up, the passive firewall would typically show a 'suspended' or 'passive' state, not 'non-functional', as HA1 can still detect the peer. Option B is wrong because disabling session sync only affects the synchronization of session tables, not configuration changes; configuration sync is controlled separately and would not cause a 'non-functional' state. Option C is wrong because link monitoring on the passive firewall affects failover decisions (e.g., causing a passive-to-active transition if monitored links fail), but it does not prevent configuration synchronization or cause a 'non-functional' state.

68
MCQhard

Two firewalls in an active/passive HA pair are not synchronizing. The administrator checks 'show high-availability state' and sees 'active' on both firewalls. What is the most likely cause?

A.The HA3 control link is misconfigured or down.
B.Session owner is set to 'primary' on both firewalls.
C.Preemptive mode is enabled on both firewalls.
D.Both firewalls have different PAN-OS versions.
AnswerA

Without heartbeat, each firewall assumes the other is down and becomes active.

Why this answer

When both firewalls show 'active' in the HA state, it indicates a split-brain scenario where each firewall believes it is the active unit. The HA3 control link is responsible for heartbeat and state synchronization; if it is misconfigured or down, the firewalls cannot detect each other's presence, causing both to assume active status. This is the most common cause of dual-active HA failures.

Exam trap

The trap here is that candidates often assume both firewalls showing 'active' is caused by a configuration mismatch like PAN-OS versions or preemptive settings, but the core issue is the loss of the HA3 control link, which prevents heartbeat detection and triggers a split-brain condition.

How to eliminate wrong answers

Option B is wrong because 'session owner' is a session distribution setting for active/active HA, not active/passive, and setting it to 'primary' on both does not cause both to show active; it affects session ownership, not HA state. Option C is wrong because preemptive mode controls whether a previously active firewall reclaims active status after a failure recovery; it does not cause both to become active simultaneously. Option D is wrong because different PAN-OS versions prevent HA formation entirely (the pair will not synchronize or form a HA group), but the state would show 'non-functional' or 'not synchronized', not 'active' on both.

69
MCQhard

A large organization has a PA-5250 firewall pair in active/passive HA mode. The firewalls are managed by Panorama. The security team recently created a new security policy rule to block a specific application (app-block-rule) and pushed the configuration from Panorama. After the push, the active firewall shows the new rule in the security policy list, but traffic matching the rule is not being blocked. The administrator checks the traffic logs and sees that the traffic is being allowed by a different rule with a higher priority. The administrator also notices that the 'app-block-rule' has an 'any' source and destination zone, but the allowed rule has specific zones. The administrator runs 'show session info' and sees that the sessions are being created before the policy push. The administrator wants to ensure that existing sessions are subject to the new policy. Which action should the administrator take?

A.Disable session re-aging on the firewall
B.Commit the configuration on the active firewall
C.Move the new rule to the top of the security policy
D.Enable session re-aging and set a short timeout for the application
AnswerD

Session re-aging forces new policy check on existing sessions.

Why this answer

Option D is correct because session re-aging forces the firewall to re-evaluate existing sessions against the current security policy. When a new policy is pushed, sessions established before the push continue to match the old policy until they expire. By enabling session re-aging and setting a short timeout, the firewall will age out those sessions sooner, causing them to be re-matched against the new 'app-block-rule' and thus be blocked.

Exam trap

The trap here is that candidates think moving the rule to the top of the policy (Option C) will fix the issue, but they overlook that existing sessions are not re-evaluated after a policy change unless session re-aging is enabled.

How to eliminate wrong answers

Option A is wrong because disabling session re-aging would prevent existing sessions from being re-evaluated, making the problem worse. Option B is wrong because the configuration was already pushed from Panorama and committed; the active firewall shows the rule, so a local commit is unnecessary and does not affect existing sessions. Option C is wrong because moving the rule to the top of the policy does not impact sessions that were created before the push; those sessions continue to use the old policy match until they expire or are aged out.

70
MCQhard

A company has a PA-3260 firewall configured with multiple virtual routers for segmentation. A new subnet 192.168.30.0/24 is added behind a layer3 interface that is part of virtual router 'VR-A'. The administrator adds a static route on the firewall to reach the subnet via next-hop 10.0.0.1. However, hosts in another virtual router 'VR-B' cannot reach the new subnet. The route is present in VR-A's routing table. What should the administrator do to resolve the issue?

A.Create a security policy rule allowing the traffic between the zones.
B.Add a static route in VR-B pointing to the new subnet with next-hop as the interface IP of VR-A's interface.
C.Configure route redistribution between VR-A and VR-B using a routing protocol.
D.Place all interfaces in the same virtual router.
AnswerB

This gives VR-B the necessary routing information to reach the subnet via VR-A.

Why this answer

Virtual routers in Palo Alto Networks firewalls are isolated routing tables. A route in VR-A is not visible to VR-B unless explicitly shared. Adding a static route in VR-B with the next-hop pointing to the interface IP of VR-A's interface (the gateway between the two virtual routers) allows VR-B to forward traffic for 192.168.30.0/24 to VR-A, which then routes it to the correct subnet.

This is the standard method for inter-virtual-router routing without dynamic redistribution.

Exam trap

The trap here is that candidates often assume security policies are the only barrier between virtual routers, forgetting that virtual routers are isolated routing domains and a route must exist in the source virtual router's table before any policy can be applied.

How to eliminate wrong answers

Option A is wrong because security policy rules control traffic flow between zones but do not affect routing; without a route in VR-B, traffic will be dropped by the firewall's routing lookup before any security policy is evaluated. Option C is wrong because route redistribution requires a routing protocol (e.g., OSPF, BGP) to be configured on both virtual routers, which is unnecessary overhead when a simple static route achieves the same result without protocol convergence delays. Option D is wrong because placing all interfaces in the same virtual router defeats the purpose of segmentation and would merge the routing tables, potentially causing routing conflicts and breaking the isolation that virtual routers provide.

71
MCQeasy

A small business uses a single PA-220 firewall with PAN-OS 10.2. The administrator notices that the firewall is no longer receiving automatic threat updates. The License page shows the Threat Prevention license is active with 200 days remaining. The administrator can manually download updates from the Palo Alto Networks update server. What is the most likely cause?

A.The firewall is behind a proxy that blocks the update service.
B.The update schedule is disabled.
C.The firewall's system clock is incorrect.
D.The DNS settings are misconfigured.
AnswerB

If the schedule is disabled, automatic updates will not occur, but manual downloads are still possible.

Why this answer

The most likely cause is that the update schedule is disabled. Even though the Threat Prevention license is active and manual downloads work, the firewall will not automatically check for or download updates if the scheduled update feature is turned off. In PAN-OS 10.2, the administrator must configure a recurring schedule under Device > Dynamic Updates for automatic updates to occur; otherwise, only manual downloads are possible.

Exam trap

The trap here is that candidates assume a valid license guarantees automatic updates, overlooking that the update schedule is a separate configuration setting that must be explicitly enabled.

How to eliminate wrong answers

Option A is wrong because if a proxy were blocking the update service, manual downloads would also fail, as they use the same outbound HTTPS connection to the Palo Alto Networks update server. Option C is wrong because an incorrect system clock would cause SSL certificate validation failures and prevent both automatic and manual updates, but the administrator can manually download updates successfully. Option D is wrong because misconfigured DNS would prevent resolution of the update server's FQDN, breaking both automatic and manual updates, yet manual downloads work.

72
MCQmedium

An administrator reviews a traffic log entry: 'Source: 10.0.0.10, Destination: 8.8.8.8, Application: web-browsing, Action: allow, Bytes Sent: 500, Bytes Received: 1200'. What does this log entry indicate about the traffic?

A.The traffic was blocked by a security policy.
B.The traffic was only one-way; only received bytes were logged.
C.The traffic was allowed and identified as web-browsing.
D.The application was incorrectly identified.
AnswerC

The log confirms both the action and the application.

Why this answer

The log entry shows 'Action: allow', which explicitly indicates the firewall permitted the traffic. The 'Application: web-browsing' field confirms that the Palo Alto Networks firewall correctly identified the traffic as HTTP/HTTPS (web-browsing) using App-ID, not just by port. The presence of both 'Bytes Sent' and 'Bytes Received' with non-zero values confirms bidirectional communication, so the traffic was allowed and properly classified.

Exam trap

The trap here is that candidates may assume traffic to 8.8.8.8 is always DNS and thus think the application was misidentified, but the log explicitly shows 'web-browsing' which is valid for HTTP/HTTPS traffic to any IP, and the 'allow' action confirms the firewall permitted it.

How to eliminate wrong answers

Option A is wrong because the 'Action: allow' field directly contradicts blocking; a blocked session would show 'Action: deny' or 'drop'. Option B is wrong because both 'Bytes Sent: 500' and 'Bytes Received: 1200' are non-zero, proving bidirectional traffic, not one-way. Option D is wrong because the application 'web-browsing' is a standard App-ID for HTTP/HTTPS traffic to a public DNS server (8.8.8.8), and there is no evidence of misidentification; App-ID uses deep packet inspection to verify the application regardless of port.

73
Drag & Dropmedium

Arrange the steps to configure a new zone on a Palo Alto Networks firewall in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Zones are created under the Network tab, with a name and type specified.

74
MCQeasy

An administrator wants to receive SNMP traps from the firewall for critical events such as failed login attempts and high CPU usage. Which configuration step is required?

A.Enable SNMP monitoring on the interface.
B.Set up a log forwarding profile with SNMP action.
C.Create an SNMP read-only community string.
D.Configure an SNMP trap destination under Device > Setup > SNMP Trap.
AnswerD

This defines where traps are sent and which events trigger them.

Why this answer

To receive SNMP traps from a Palo Alto Networks firewall, you must configure the trap destination under Device > Setup > SNMP Trap. This step defines where the firewall sends SNMP notifications (traps) for events like failed login attempts and high CPU usage. Without a configured trap destination, the firewall will not transmit any SNMP traps, even if other SNMP settings are enabled.

Exam trap

The trap here is that candidates often confuse SNMP polling (which requires read-only community strings and interface monitoring) with SNMP trap generation (which requires a separate trap destination configuration), leading them to select options A or C instead of D.

How to eliminate wrong answers

Option A is wrong because enabling SNMP monitoring on an interface allows the firewall to be polled via SNMP (e.g., for MIB data), but it does not configure the firewall to send unsolicited traps. Option B is wrong because log forwarding profiles are used to forward logs to external services (e.g., syslog, email), not to send SNMP traps; SNMP trap configuration is separate and does not use log forwarding profiles. Option C is wrong because creating an SNMP read-only community string is required for SNMP polling (read access to MIB objects), but it is not necessary for sending traps; traps use a separate community string (often the same, but the trap destination configuration is the critical step).

75
Multi-Selecthard

A firewall is part of a Panorama-managed environment. The administrator needs to ensure that only specific administrators can commit changes to devices. Which TWO actions are required? (Choose two.)

Select 2 answers
A.Enable Multi-Factor Authentication for all admins.
B.Configure role-based access on Panorama.
C.Create an admin role with commit scope limited to specific device groups.
D.Use template stacks to restrict commit permissions.
E.Set the firewall to require approval for commits.
AnswersB, C

Panorama RBAC defines which administrators can commit changes to which device groups.

Why this answer

Options A and B are correct. Creating an admin role with commit scope limited to specific device groups (A) and configuring role-based access on Panorama (B) are necessary to restrict commit permissions to specific administrators. Option C is incorrect because Multi-Factor Authentication is for authentication, not commit restriction.

Option D is incorrect because template stacks are for template management. Option E is incorrect because Panorama does not have a built-in commit approval workflow.

Page 1 of 2 · 81 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage, Monitor and Operate questions.