CCNA Core Concepts Architecture Questions

75 of 76 questions · Page 1/2 · Core Concepts Architecture topic · Answers revealed

1
MCQmedium

A company uses Panorama to manage multiple firewalls. They want to push a security policy that applies to all firewalls but with a specific exception for one firewall in a different region. Which Panorama method should be used?

A.Use a shared policy and override the rule on the specific device group.
B.Use a post-rule in the device group.
C.Use a device-specific pre-rule.
D.Use a template variable.
AnswerA

Panorama allows overriding rules at the device group level for exceptions.

Why this answer

Option A is correct because Panorama allows a shared policy to be pushed to all firewalls, and you can override a specific rule for a particular device group. By placing the exception rule in the device group that contains the firewall in the different region, you can override the shared policy for that firewall while the rest continue to use the shared policy. This maintains centralized management while accommodating regional exceptions.

Exam trap

The trap here is that candidates often confuse rule override with rule addition, thinking that adding a pre-rule or post-rule can override a shared policy, when in fact only an explicit override within the same rule type (shared or device group) can replace a rule.

How to eliminate wrong answers

Option B is wrong because a post-rule in the device group applies after the shared policy rules, but it cannot override a shared policy rule; it only adds rules that are evaluated after the shared policy. Option C is wrong because a device-specific pre-rule applies only to a single firewall, but it cannot override a shared policy rule; it only adds rules that are evaluated before the shared policy. Option D is wrong because template variables are used to customize template settings (e.g., IP addresses, interfaces) across firewalls, not to override security policy rules.

2
Multi-Selecthard

Which THREE of the following are key differences between the Palo Alto Networks Next-Generation Firewall and Cloud-Delivered Security Services (CDSS)?

Select 3 answers
A.CDSS performs full application-level packet inspection.
B.CDSS offers services like DNS Security and WildFire that require an internet connection to the cloud.
C.CDSS provides cloud-based threat analysis and signature updates, while the firewall is the enforcement point.
D.CDSS is a replacement for the firewall's local threat prevention functionality.
E.CDSS can automatically share threat intelligence across all subscribed firewalls.
AnswersB, C, E

These services rely on cloud connectivity.

Why this answer

Option B is correct because DNS Security and WildFire are cloud-delivered services that require an active internet connection to the Palo Alto Networks cloud for real-time analysis and signature retrieval. Unlike local threat prevention, these services offload processing to the cloud, enabling detection of unknown threats without consuming firewall resources.

Exam trap

The trap here is assuming CDSS replaces local firewall functions (like packet inspection or threat prevention) rather than understanding it as a complementary cloud service that enhances, not substitutes, the firewall's core enforcement capabilities.

3
MCQeasy

A help desk ticket reports that a user cannot access the firewall's web management interface (HTTPS) from the management network. The management interface is on a dedicated MGMT network. Which setting must be enabled on the firewall to allow this access?

A.Enable IKE on the management interface.
B.Enable User-ID on the management interface.
C.Configure a service route to redirect management traffic to a dataplane interface.
D.Under Device > Setup > Management, add the user's IP or subnet to 'Permitted IP Addresses' for HTTPS.
AnswerD

By default, management access is restricted; you must explicitly allow source IPs.

Why this answer

Option D is correct because the firewall's management interface enforces an access control list for HTTPS (and other management protocols) under Device > Setup > Management. By default, no IP addresses are permitted, so even if the user is on the same MGMT network, the firewall will drop HTTPS requests unless the user's IP or subnet is explicitly added to the 'Permitted IP Addresses' list. This setting is a fundamental security measure to restrict management access to trusted sources only.

Exam trap

The trap here is that candidates often confuse management access control with service routes or dataplane features, assuming that being on the same MGMT network is sufficient, but the firewall explicitly blocks all management protocol access by default unless the source IP is permitted.

How to eliminate wrong answers

Option A is wrong because IKE (Internet Key Exchange) is used for IPsec VPN tunnel negotiation, not for controlling access to the web management interface; enabling IKE on the management interface does not grant HTTPS access. Option B is wrong because User-ID is a feature for mapping IP addresses to usernames for policy enforcement, typically on dataplane interfaces, and enabling it on the management interface does not affect HTTPS management access. Option C is wrong because service routes are used to redirect management traffic (e.g., syslog, SNMP, RADIUS) to a specific dataplane interface for outbound communication, but they do not control inbound HTTPS access to the management interface; the management interface itself must have the correct permitted IP list.

4
MCQhard

An organization uses User-ID with agent-based mapping on a Palo Alto Networks firewall. Users authenticate to a domain but some user-to-IP mappings are not showing up in the firewall's user cache. The firewall can reach the domain controllers. What is the most likely cause?

A.Panorama must be used to distribute User-ID configurations.
B.The firewall's DNS settings are incorrect, preventing user lookup.
C.The user-id mapping timeout is set too low.
D.The User-ID agent is not configured with the correct domain credentials or domain name.
AnswerD

Without proper domain configuration, the agent cannot collect mappings.

Why this answer

The User-ID agent requires valid domain credentials and the correct domain name to query Active Directory for user-to-IP mappings. If these are misconfigured, the agent cannot authenticate to the domain controllers, and no mappings will be populated in the firewall's user cache, even though network connectivity exists.

Exam trap

The trap here is that candidates often assume connectivity issues (like DNS or reachability) are the cause, but the question explicitly states the firewall can reach the domain controllers, narrowing the focus to authentication and configuration of the User-ID agent itself.

How to eliminate wrong answers

Option A is wrong because Panorama is not required for User-ID configuration; User-ID can be configured directly on the firewall or via a separate User-ID agent. Option B is wrong because DNS settings affect hostname resolution, not the user-to-IP mapping process, which relies on the User-ID agent querying domain controllers via LDAP or NetAPI. Option C is wrong because a low timeout would cause mappings to expire prematurely, not prevent them from appearing initially.

5
MCQhard

An organization is implementing SSL Forward Proxy decryption to inspect outbound HTTPS traffic. They want to exclude traffic to specific internal applications that cannot handle decryption due to certificate pinning. The firewall is configured with a decryption policy that decrypts all traffic from the internal network to the internet. To exclude the pinned applications, which approach is best practice?

A.Create a custom URL category for the applications and add it to a decryption policy rule with action 'no-decrypt'.
B.Configure an SSL/TLS Service Profile with an exception list for the destination IPs.
C.Use GlobalProtect client settings to bypass decryption for the pinned applications.
D.Reduce the SSL/TLS protocol version on the decryption policy to cause fail-closed for those applications.
AnswerA

A decryption policy rule with 'no-decrypt' action can be used to exclude traffic, and using a custom URL category is a flexible method.

Why this answer

Option A is correct because creating a custom URL category for the pinned applications and referencing it in a decryption policy rule with action 'no-decrypt' is the best practice for excluding specific traffic from SSL Forward Proxy decryption. This approach allows the firewall to selectively bypass decryption based on the destination URL, which is more granular and manageable than IP-based exceptions, and it aligns with the decryption policy's ability to match traffic by URL category.

Exam trap

The trap here is that candidates often confuse the SSL/TLS Service Profile's exception list (used for inbound decryption) with forward proxy decryption, leading them to select Option B, but the exception list does not apply to outbound SSL Forward Proxy policies.

How to eliminate wrong answers

Option B is wrong because an SSL/TLS Service Profile's exception list is used to exclude specific destination IPs from SSL/TLS termination for inbound decryption (e.g., for SSL Inbound Inspection), not for outbound SSL Forward Proxy decryption; it does not apply to forward proxy scenarios. Option C is wrong because GlobalProtect client settings control VPN tunnel behavior and client-level security policies, but they cannot bypass firewall-level decryption policies; decryption is enforced at the firewall, not the client. Option D is wrong because reducing the SSL/TLS protocol version on the decryption policy would cause the firewall to fail to negotiate a secure connection with the server, potentially breaking all HTTPS traffic to those applications, not just excluding them; it does not provide a selective 'no-decrypt' mechanism.

6
MCQeasy

Refer to the exhibit. An administrator sees this log entry. What does it indicate?

A.The traffic was dropped due to buffer overflow.
B.The traffic was allowed but not logged.
C.The traffic did not match any security rule.
D.The traffic matched a rule with action 'deny'.
AnswerC

The '(no rule)' and 'no-match' clearly indicate no rule matched, resulting in default deny.

Why this answer

The log entry shows a session with action 'deny' and a reason of 'rule-out-of-sessions', which indicates that the traffic was evaluated against the security policy but did not match any rule. In Palo Alto Networks firewalls, when traffic does not match any security rule, it is denied by the implicit deny rule at the end of the rulebase, and the log records this as a 'deny' action with the reason 'rule-out-of-sessions'. This is not a buffer overflow or a rule with explicit deny action; it is the default behavior when no rule matches.

Exam trap

Palo Alto Networks often tests the misconception that a 'deny' action in the log always means a specific rule with action 'deny' was matched, but the 'rule-out-of-sessions' reason is the key differentiator that points to the implicit deny rule when no rule matches.

How to eliminate wrong answers

Option A is wrong because buffer overflow is a hardware or software resource exhaustion issue, not a security rule matching issue; the log reason 'rule-out-of-sessions' specifically indicates no rule match, not a buffer condition. Option B is wrong because the log entry shows the traffic was denied (action 'deny'), not allowed; allowed traffic would show action 'allow' and would be logged if logging is enabled. Option D is wrong because a rule with action 'deny' would show the rule name in the log, not 'rule-out-of-sessions'; the 'rule-out-of-sessions' reason is only used when no rule matches and the implicit deny rule is applied.

7
MCQeasy

A network engineer is troubleshooting why traffic from the 10.0.1.0/24 subnet to the internet is being dropped. The firewall has the following security policies (in order): 1) Allow from 10.0.1.0/24 to 10.0.2.0/24, 2) Allow from any to any, 3) Deny from 10.0.1.0/24 to any. What is the most likely cause of the traffic being dropped?

A.The 'Allow from 10.0.1.0/24 to 10.0.2.0/24' rule is blocking the traffic.
B.The firewall's implicit deny rule is applied before any security rules.
C.The traffic matches the 'Deny from 10.0.1.0/24 to any' rule first.
D.The traffic matches the 'Allow from any to any' rule first.
AnswerC

The deny rule is listed first and matches the traffic, so it is dropped before reaching the allow rule.

Why this answer

Option C is correct because the firewall evaluates security policies in top-down order, and the traffic from 10.0.1.0/24 to the internet (any destination) matches the first rule (10.0.1.0/24 to 10.0.2.0/24) only if the destination is 10.0.2.0/24. Since the internet is not in that subnet, the traffic proceeds to the second rule (allow any to any), which permits it. However, the third rule (deny from 10.0.1.0/24 to any) is then evaluated and matches, causing the traffic to be dropped.

The key is that the deny rule is placed after the allow any rule, but because it is more specific to the source, it still applies after the broader allow rule is checked.

Exam trap

The trap here is that candidates often assume the 'Allow from any to any' rule will permit all traffic and stop further evaluation, but Palo Alto firewalls continue to check subsequent rules, and a later deny rule can override an earlier allow rule if it matches.

How to eliminate wrong answers

Option A is wrong because the 'Allow from 10.0.1.0/24 to 10.0.2.0/24' rule only applies to traffic destined for 10.0.2.0/24, not to the internet, so it does not block the traffic. Option B is wrong because the firewall's implicit deny rule is applied only after all configured security rules are evaluated; it is not applied before any security rules. Option D is wrong because the traffic does match the 'Allow from any to any' rule second, but the firewall continues to evaluate subsequent rules, and the third rule (deny) overrides the allow due to the order of evaluation.

8
Multi-Selectmedium

A security engineer is troubleshooting a traffic drop issue on a Palo Alto Networks firewall. The traffic is allowed by the security policy, but the session is being terminated. Which two features could cause this behavior? (Choose two.)

Select 2 answers
A.DoS Protection
B.User-ID
C.SSL Decryption
D.URL Filtering
E.Zone Protection Profile
AnswersA, E

DoS Protection can actively terminate sessions exceeding thresholds.

Why this answer

A DoS Protection profile can terminate sessions that exceed configured thresholds for rate, connection count, or other attack-related criteria, even if the security policy explicitly allows the traffic. When the firewall detects that a session matches a DoS Protection rule and the traffic rate or concurrent session count surpasses the defined threshold, it will drop the session to mitigate the attack, overriding the allow action from the security policy.

Exam trap

The trap here is that candidates often assume only security policy rules control traffic flow, forgetting that additional security features like DoS Protection and Zone Protection Profiles can override an allow action by terminating sessions based on rate limits or attack signatures.

9
MCQmedium

A security engineer wants to identify applications in SSL/TLS encrypted traffic without decrypting the payload. Which method can be used?

A.Deploy a network tap to capture traffic
B.Use App-ID's encrypted traffic detection capabilities
C.Configure the firewall to trust all certificates
D.Implement SSL Forward Proxy decryption
AnswerB

App-ID can identify encrypted applications using SNI, IP mapping, and behavioral analysis without decryption.

Why this answer

App-ID's encrypted traffic detection capabilities allow the firewall to identify applications within SSL/TLS encrypted flows without decrypting the payload. It uses techniques such as server name indication (SNI) inspection, certificate field analysis, and JA3/JA3S fingerprinting to match traffic to known applications, even when the content is encrypted.

Exam trap

The trap here is that candidates often assume application identification in encrypted traffic always requires decryption, overlooking that metadata from the TLS handshake can be used for identification without breaking encryption.

How to eliminate wrong answers

Option A is wrong because deploying a network tap only captures raw packets; it does not provide application identification without additional decryption or deep packet inspection. Option C is wrong because configuring the firewall to trust all certificates would bypass certificate validation, creating a security vulnerability and still not enabling application identification without decryption. Option D is wrong because SSL Forward Proxy decryption explicitly decrypts the payload to inspect it, which the question states should be avoided.

10
MCQhard

Refer to the exhibit. A firewall administrator is investigating why traffic from a source IP 10.1.1.100 to destination 192.168.1.50 is not establishing sessions. The firewall has been up for 45 days. Based on the counters shown, what is the most likely cause?

A.Incorrect NAT rule configuration
B.Security policy denying the traffic
C.Asymmetric routing causing out-of-state packets
D.Zone Protection Profile dropping SYN packets
AnswerC

Non-SYN packets without a session indicate asymmetric routing.

Why this answer

The counters show 'flow_pkt_non_syn' and 'flow_pkt_non_syn_drop' incrementing, which indicates the firewall is receiving packets that do not have the SYN flag set for new session establishment. This is a classic symptom of asymmetric routing, where the firewall sees return or mid-stream packets before the initial SYN, causing it to drop them as out-of-state. Since the firewall has been up for 45 days, stale session table entries are not the issue; the traffic path is likely not symmetric, so the firewall never sees the SYN to create a session.

Exam trap

The trap here is that candidates often assume a security policy or NAT issue when traffic fails, but the specific counter 'flow_pkt_non_syn_drop' directly points to asymmetric routing, not policy or NAT misconfiguration.

How to eliminate wrong answers

Option A is wrong because incorrect NAT rule configuration would typically show counters like 'flow_ip_nat_xlate' or 'flow_ip_nat_fail' incrementing, not non-SYN drops. Option B is wrong because a security policy denying traffic would increment the 'flow_pkt_drop' or 'policy_deny' counters, not specifically 'flow_pkt_non_syn_drop', and the firewall would log the denial. Option D is wrong because a Zone Protection Profile dropping SYN packets would increment 'zone_protection_drop_syn' or similar counters, and would affect SYN packets, not non-SYN packets.

11
MCQhard

A company uses a Palo Alto Networks firewall to decrypt all outbound SSL traffic. Recently, users have reported slow internet performance. The network administrator notices that the firewall's CPU utilization is consistently above 90%. The traffic logs show that a large portion of decrypted traffic is from software update services (e.g., Windows Update, Adobe, etc.) that do not require inspection. The firewall is a mid-range model with hardware decryption acceleration. What is the most effective action to reduce CPU usage while maintaining security?

A.Configure a decryption policy exception to exclude high-volume, low-risk services from decryption.
B.Increase the decryption session buffer size in the SSL/TLS proxy settings.
C.Enable hardware decryption offload on the firewall.
D.Add an additional firewall in an active/passive HA pair to distribute the decryption load.
AnswerA

This reduces the decryption load significantly while still protecting against threats from other sites.

Why this answer

Option A is correct because excluding high-volume, low-risk services like Windows Update and Adobe updates from SSL decryption reduces the CPU load from decrypting traffic that does not require security inspection. This approach maintains security by focusing decryption resources on traffic that poses a genuine risk, while leveraging the firewall's ability to bypass decryption for trusted sources. The mid-range model's hardware deceleration is already in use, so the most effective step is to reduce the volume of decryption itself.

Exam trap

The trap here is that candidates assume hardware decryption offload is not already enabled or that adding HA will magically balance load, when in fact the question explicitly states hardware acceleration is present and active/passive HA does not distribute processing load.

How to eliminate wrong answers

Option B is wrong because increasing the decryption session buffer size in the SSL/TLS proxy settings does not reduce CPU utilization; it only allows more concurrent sessions to be buffered, which can actually increase memory pressure and CPU overhead. Option C is wrong because the question states the firewall already has hardware decryption acceleration enabled, so enabling it again would have no effect. Option D is wrong because adding an additional firewall in an active/passive HA pair does not distribute the decryption load; in active/passive mode, only one firewall processes traffic at a time, so CPU utilization on the active unit would remain unchanged.

12
Multi-Selecthard

A network administrator is configuring a new Palo Alto Networks firewall in a high-availability active/passive setup. The firewall will be placed in Layer 3 mode. Which THREE steps are required to ensure proper operation? (Choose three.)

Select 3 answers
A.Configure a virtual router and assign interfaces
B.Configure the HA1 link and HA1 backup link
C.Enable aggregate Ethernet on all interfaces
D.Set up a management profile for each interface
E.Configure a floating IP for the active firewall
AnswersA, B, E

Virtual router is required for Layer 3 routing.

Why this answer

Option A is correct because in Layer 3 mode, a virtual router must be configured to enable the firewall to participate in IP routing. The virtual router handles route learning, static routes, and route redistribution, and each Layer 3 interface must be assigned to a virtual router to forward traffic. Without this, the firewall cannot route packets between zones.

Exam trap

The trap here is that candidates often think aggregate Ethernet or management profiles are mandatory for HA or Layer 3 operation, but they are optional features that do not affect basic routing or HA failover functionality.

13
Multi-Selecteasy

Which three are valid security policy rule actions on a Palo Alto Networks firewall? (Choose three.)

Select 3 answers
A.Deny
B.Log
C.Drop
D.Allow
E.Forward
AnswersA, C, D

Deny drops traffic and can generate logs.

Why this answer

Option A (Deny) is correct because security policy rules on Palo Alto Networks firewalls use 'Deny' as a valid action to silently discard traffic without sending a TCP RST or ICMP unreachable message. This action is used when you want to block traffic while providing no feedback to the sender, which is common for stealth or compliance policies.

Exam trap

The trap here is that candidates often confuse 'Log' as an action because it appears in the rule configuration, but it is merely a log setting, not a traffic disposition action like Allow, Deny, or Drop.

14
MCQhard

A company configures its Palo Alto Networks firewall to decrypt outbound SSL traffic using a forward proxy. After applying the decryption policy, users report that their browsers display certificate errors when accessing HTTPS websites. The firewall's decryption certificate is self-signed. What is the most likely cause?

A.The firewall is using a forward trust certificate that is expired.
B.The decryption policy is not applied to the correct security rule.
C.The firewall's decryption root CA certificate has not been installed in the client's trusted root certificate store.
D.The decryption policy is set to 'no-decrypt' for the traffic.
AnswerC

Correct. Clients must trust the firewall's issuing CA to avoid certificate warnings.

Why this answer

In a forward proxy decryption scenario, the firewall generates a self-signed root CA certificate and uses it to sign per-session certificates for intercepted HTTPS traffic. If that root CA certificate is not installed in the client's trusted root certificate store, the browser will treat the per-session certificates as untrusted, resulting in certificate errors. Option C directly identifies this missing trust chain as the root cause.

Exam trap

The trap here is that candidates often confuse the forward trust certificate (used to sign per-session certificates) with the root CA certificate that must be trusted by clients, leading them to focus on expiration or policy placement rather than the fundamental trust chain requirement.

How to eliminate wrong answers

Option A is wrong because an expired forward trust certificate would cause certificate errors, but the scenario explicitly states the decryption certificate is self-signed, and the most common issue is the missing root CA trust, not an expired leaf certificate. Option B is wrong because the decryption policy is applied to a decryption rule, not a security rule; misapplication to a security rule would not cause certificate errors—it would simply not decrypt traffic. Option D is wrong because a 'no-decrypt' policy would result in no decryption at all, meaning users would see normal HTTPS traffic without certificate errors, not the reported errors.

15
MCQhard

A Palo Alto Networks firewall is configured with two virtual routers: VR-A (trust) and VR-B (untrust). An interface is placed in VR-A. A static route to 10.0.0.0/8 via next-hop 192.168.1.1 exists in VR-A. The firewall receives a packet from the trust zone destined to 10.1.1.1. The route lookup succeeds in VR-A. Which statement is true about the forwarding decision?

A.The firewall will automatically redistribute the route to VR-B if needed.
B.The firewall will perform a reverse path forwarding (RPF) check on the source IP.
C.The packet will be dropped because the destination is not in the same VR as the ingress interface.
D.The firewall will use the zone of the egress interface to determine the security policy.
AnswerB

RPF ensures the source IP is reachable via the incoming interface; if not, the packet may be dropped.

Why this answer

Option B is correct because when a packet enters a Palo Alto Networks firewall, after a successful route lookup, the firewall performs an RPF check on the source IP address to ensure that the source is reachable via the ingress interface. This is a fundamental security mechanism to prevent spoofed traffic. Since the ingress interface is in VR-A and the route lookup succeeded, the RPF check verifies that the source IP of the packet is reachable through that same interface; if not, the packet is dropped.

Exam trap

The trap here is that candidates often assume the packet will be dropped because the destination is in a different VR (Option C), but they overlook that the route lookup succeeded in the ingress VR, meaning the egress interface is within the same VR, and the real security mechanism is the RPF check on the source IP.

How to eliminate wrong answers

Option A is wrong because Palo Alto Networks firewalls do not automatically redistribute routes between virtual routers; redistribution must be explicitly configured using route redistribution policies or a shared virtual router. Option C is wrong because the packet is not dropped due to the destination being in a different VR; the route lookup succeeded in VR-A, meaning the destination is reachable within VR-A, and the egress interface could be in the same VR. Option D is wrong because the security policy lookup uses the zone of the ingress interface (trust), not the egress interface; the egress interface's zone is irrelevant for policy matching.

16
MCQmedium

An organization runs a pair of Palo Alto Networks firewalls in an active/passive HA configuration. During a maintenance window, the active firewall experiences a link down event on one of its data interfaces. The passive firewall does not assume the active role. What is the most likely reason?

A.HA is configured in active/active mode, which does not support failover on link failure.
B.The passive firewall has lost its heartbeat connection to the active firewall.
C.The active firewall has a higher priority value.
D.Path monitoring is not configured on the interfaces.
AnswerD

Correct. Path monitoring monitors the status of data interfaces and triggers failover on link loss.

Why this answer

In an active/passive HA configuration, a link down event on a data interface does not automatically trigger a failover unless path monitoring is configured. Path monitoring allows the firewall to monitor the link state of specific data interfaces and initiate a failover when those interfaces go down. Without path monitoring, the passive firewall remains passive because it only monitors the HA heartbeat and the active firewall's health via the control link, not the data plane link state.

Exam trap

The trap here is that candidates often assume any link failure on a data interface will automatically trigger an HA failover, but Palo Alto Networks firewalls require explicit path monitoring configuration to initiate failover based on data plane link state.

How to eliminate wrong answers

Option A is wrong because the scenario explicitly states active/passive HA, not active/active, and even in active/active mode, failover on link failure can occur if path monitoring is configured. Option B is wrong because if the passive firewall had lost its heartbeat connection, it would assume the active role (due to loss of hello messages) or enter a non-functional state, not remain passive. Option C is wrong because a higher priority value on the active firewall makes it more likely to be active, but it does not prevent failover when a link down event occurs; priority determines which firewall becomes active during initial election or when both are healthy, not whether failover happens on a link failure.

17
MCQhard

A firewall administrator notices that traffic from a specific subnet is being unexpectedly dropped. The firewall log shows a 'flow_drop' reason of 'packet too long for interface MTU'. The interface MTU is set to 1500, and the packets are 1500 bytes. What is the most likely cause?

A.The route lookup for the destination requires a larger MTU.
B.The firewall is not performing TCP MSS clamping on the traffic.
C.The firewall is using jumbo frames on the internal interface.
D.The packet is being encapsulated (e.g., IPsec) after routing, increasing its size beyond 1500 bytes.
AnswerD

Encapsulation adds headers; if the original packet is near MTU, the encapsulated packet exceeds it.

Why this answer

When a packet is encapsulated (e.g., by IPsec) after the routing decision, the original packet's size remains 1500 bytes, but the encapsulation adds overhead (e.g., IPsec ESP headers/trailers, typically 50–60 bytes). This causes the resulting frame to exceed the interface MTU of 1500, triggering a 'packet too long for interface MTU' drop. The firewall logs the drop at the physical interface after encapsulation, not before.

Exam trap

The trap here is that candidates assume the firewall drops the packet before encapsulation because the original packet matches the MTU, but the drop occurs after encapsulation adds overhead, making the final frame too large.

How to eliminate wrong answers

Option A is wrong because the route lookup determines the next hop and outgoing interface, but it does not change the packet size; a larger MTU on the route would not cause a drop of a 1500-byte packet on a 1500-MTU interface. Option B is wrong because TCP MSS clamping reduces the TCP segment size to avoid fragmentation, but the drop occurs after routing/encapsulation, and MSS clamping would not prevent the encapsulation overhead from exceeding the MTU. Option C is wrong because jumbo frames (typically >9000 bytes) on an internal interface would allow larger packets, not cause drops; the issue is on the egress interface where the MTU is 1500.

18
MCQeasy

A company needs to deploy a firewall in transparent inline mode to filter traffic between two switches without requiring any IP address changes on existing devices. Which interface type should be configured?

A.Virtual Wire
B.Tap
C.Layer3
D.Layer2
AnswerA

Virtual Wire bridges two ports without IP, providing transparent inline inspection.

Why this answer

Virtual Wire (VWire) is the correct interface type because it allows the firewall to operate in transparent inline mode without requiring any IP address changes on existing devices. In VWire mode, the firewall acts as a Layer 2 bump in the wire, forwarding traffic between two interfaces based on MAC addresses without participating in routing or requiring IP configuration on the firewall interfaces themselves.

Exam trap

The trap here is that candidates confuse Layer2 interfaces with Virtual Wire, assuming any transparent mode works the same, but Layer2 interfaces require bridge groups or VLAN configuration and do not provide the same zero-touch inline deployment as Virtual Wire.

How to eliminate wrong answers

Option B (Tap) is wrong because a Tap interface is used for passive monitoring only; it receives a copy of traffic but cannot actively filter or block traffic inline between switches. Option C (Layer3) is wrong because Layer3 interfaces require IP addresses and routing, which would necessitate IP address changes on existing devices and break the transparent requirement. Option D (Layer2) is wrong because while Layer2 interfaces can operate transparently, they require a VLAN tag or bridge configuration and do not inherently provide the same zero-configuration, bump-in-the-wire behavior as Virtual Wire, which is specifically designed for transparent inline deployment without any IP or VLAN changes.

19
MCQeasy

Refer to the exhibit. A user with IP 10.1.1.100 from the internal zone is trying to access http://203.0.113.1. What will the firewall do?

A.Drop the traffic because no rule matches.
B.Allow the traffic because rule 2 matches.
C.Reset the traffic because of rule 1.
D.Deny the traffic because rule 1 matches first.
AnswerD

Rule 1 has source 10.0.0.0/8 which includes 10.1.1.100, so it matches first and denies the traffic.

Why this answer

Option D is correct because the firewall processes security rules in top-down order. Rule 1 explicitly denies traffic from the internal zone to the destination zone 'untrust-L3' for destination IP 203.0.113.1, which matches the user's traffic. Since rule 1 is matched first, the firewall denies the traffic and does not evaluate subsequent rules.

Exam trap

The trap here is that candidates often assume the firewall will continue to evaluate subsequent rules (like rule 2) after a match, but the first-match logic means rule 1's deny action is applied immediately, preventing any further rule evaluation.

How to eliminate wrong answers

Option A is wrong because a rule does match (rule 1), so the traffic is not dropped due to a lack of matching rules. Option B is wrong because rule 2 would only be evaluated if rule 1 did not match; however, rule 1 matches first and denies the traffic, so rule 2 is never reached. Option C is wrong because rule 1 is configured to deny the traffic, not reset it; a reset action would require a specific 'reset' action in the rule, which is not indicated.

20
MCQeasy

A company is deploying a Palo Alto Networks firewall in an existing Layer 2 switched environment. They need to inspect traffic between VLAN 10 and VLAN 20 without changing the IP addresses of hosts and without performing any routing. Which firewall mode should be used?

A.Virtual Wire
B.Tap mode
C.Transparent (Layer 2)
D.Layer 3
AnswerC

Correct. Transparent mode bridges VLANs at Layer 2, enabling inspection without IP changes.

Why this answer

Option C is correct because Transparent (Layer 2) mode allows the firewall to operate as a Layer 2 bridge, inspecting traffic between VLAN 10 and VLAN 20 without requiring any IP address changes or routing. The firewall forwards frames based on MAC addresses, preserving the existing IP subnet and host configurations, which is ideal for inserting security into an existing switched environment.

Exam trap

The trap here is that candidates often confuse Virtual Wire mode with Transparent mode, assuming Virtual Wire can handle VLANs, but Virtual Wire does not support VLAN subinterfaces or inter-VLAN inspection, making it unsuitable for this requirement.

How to eliminate wrong answers

Option A is wrong because Virtual Wire mode operates without any VLAN or MAC learning, passing traffic as a simple bump in the wire without the ability to inspect inter-VLAN traffic; it requires the firewall to be placed between two interfaces without any Layer 2 switching or VLAN segmentation. Option B is wrong because Tap mode only copies traffic for monitoring and does not allow the firewall to enforce security policies inline; it cannot block or modify traffic between VLANs. Option D is wrong because Layer 3 mode requires the firewall to perform routing between subnets, which would necessitate changing host IP addresses or default gateways, contradicting the requirement to avoid routing and IP changes.

21
Multi-Selecthard

Which two are prerequisites for deploying a Palo Alto Networks firewall in a high-availability active/passive pair? (Choose two.)

Select 2 answers
A.Both firewalls must have identical licenses.
B.Both firewalls must be the same hardware model.
C.Both firewalls must be in the same data center.
D.Both firewalls must have the same PAN-OS version.
E.The firewalls must be directly connected via a crossover cable for HA1.
AnswersB, D

Same model ensures compatibility for HA.

Why this answer

Option B is correct because Palo Alto Networks high-availability (HA) active/passive pairs require both firewalls to be the same hardware model to ensure identical processing capabilities and interface configurations. Option D is correct because both firewalls must run the same PAN-OS version to maintain configuration synchronization and stateful failover compatibility; version mismatches can cause HA session sync failures or unexpected behavior.

Exam trap

The trap here is that candidates often assume a direct crossover cable is required for HA1, but Palo Alto Networks supports HA1 over any routable Layer 3 interface, including through switches, making option E a common distractor.

22
MCQhard

Refer to the exhibit. A packet from 10.0.0.5 to 8.8.8.8 on TCP port 443 (HTTPS) arrives. Source zone is trust, destination zone is untrust. The packet is dropped. What is the most likely reason?

A.The service 'application-default' does not allow TCP port 443.
B.The packet is not logged properly.
C.The destination IP is not routable in the virtual router.
D.The rule requires application 'web-browsing', but the traffic is identified as 'ssl', causing a mismatch and drop.
AnswerD

The firewall matches the application after identification; if it does not match the rule, the packet is dropped.

Why this answer

Option D is correct because the security rule requires the application 'web-browsing' (HTTP), but the traffic is HTTPS (TCP 443), which is identified as 'ssl' by the Palo Alto Networks firewall. The firewall performs App-ID inspection, and if the application does not match the rule's application condition, the packet is dropped, even if the port matches.

Exam trap

The trap here is that candidates assume a port-based rule (TCP 443) will allow HTTPS traffic, but Palo Alto Networks firewalls require the application to match the rule's application object, not just the port, so a rule allowing 'web-browsing' will drop HTTPS traffic identified as 'ssl'.

How to eliminate wrong answers

Option A is wrong because 'application-default' is a service setting that restricts the port to the default port for the application; for 'ssl', TCP 443 is the default, so it would allow the traffic if the application matched. Option B is wrong because logging is a reporting feature and does not cause a packet drop; a packet is dropped due to a security rule or policy, not logging configuration. Option C is wrong because 8.8.8.8 is a public IP and is routable in the virtual router unless a static or default route is missing; the question states the packet is dropped by a rule, not a routing issue.

23
MCQhard

A security engineer is troubleshooting a connectivity issue where traffic from a specific internal host is allowed by security policy but fails to establish a connection to an external server. The firewall logs show the session was created, but no response packets are seen. What is the most likely cause?

A.The destination NAT is configured incorrectly.
B.The security policy is missing the return traffic rule.
C.The firewall is in FIPS mode.
D.The source NAT is not configured.
AnswerD

Without source NAT, the packet's source IP remains private, and the server replies to that private IP, which may not return to the firewall.

Why this answer

When traffic from an internal host is allowed by security policy and the session is created but no response packets are seen, the most likely cause is that source NAT (also known as outbound NAT or PAT) is not configured. Without source NAT, the firewall forwards the packet with the internal private IP address as the source, and the external server sends responses back to that private address, which is not routable over the public internet. The firewall sees the session as created because it matched the security policy and forwarded the initial packet, but the return traffic never reaches the firewall, so no response packets are logged.

Exam trap

The trap here is that candidates often assume a session being 'created' means the connection is fully established, but in Palo Alto Networks, a session is created as soon as the first packet matches a security rule, even if NAT is not configured, leading to the misconception that the issue must be a missing return traffic rule or a routing problem.

How to eliminate wrong answers

Option A is wrong because destination NAT is used to translate the destination IP address (typically for inbound traffic to internal servers), not for outbound traffic from an internal host to an external server; misconfigured destination NAT would affect how the firewall forwards the initial packet, but the symptom here is missing response packets, not a failure to create the session. Option B is wrong because Palo Alto Networks firewalls use a stateful inspection model where return traffic is automatically allowed if the session was created by a security policy rule; there is no need for a separate return traffic rule, so missing one is not a valid concept. Option C is wrong because FIPS mode enforces cryptographic standards and disables non-approved algorithms, but it does not prevent the firewall from performing source NAT or forwarding packets; if the session was created, FIPS mode is not the cause of missing response packets.

24
MCQhard

A network engineer configures a Source NAT policy on a Palo Alto Networks firewall to translate internal private IP addresses to the public IP of the external interface. The NAT rule is configured with source zone 'internal', destination zone 'external', and uses 'interface address' as the translated address. The associated security rule allows traffic from 'internal' to 'external' with the translated IP as the source. After committing, users cannot access the internet. Traceroute from an internal host to 8.8.8.8 shows: Hop 1: 192.168.1.1 (firewall internal IP), Hop 2: * * * (no response). The firewall's external interface has a public IP and is in the 'external' zone. What is the most likely cause of the issue?

A.The security rule's action is set to 'deny' for the translated IP.
B.The NAT rule's source zone is configured as 'external' instead of 'internal'.
C.The firewall's default route is missing.
D.The NAT rule is configured with destination zone 'any' but should be 'external'.
AnswerB

If the source zone is 'external', the internal traffic will not match the NAT rule, so no source translation occurs.

Why this answer

The NAT rule's source zone must match the zone of the incoming traffic. If the source zone is set to 'external' instead of 'internal', the firewall will not apply the NAT rule to traffic arriving from the internal zone. As a result, packets are forwarded without translation, and the security rule expecting the translated IP as the source will not match, causing traffic to be dropped.

The traceroute showing no response beyond the firewall's internal IP confirms that packets are not being translated or forwarded correctly.

Exam trap

The trap here is that candidates often focus on the destination zone or security rule configuration, overlooking that the NAT rule's source zone must match the actual traffic ingress zone, not the zone of the translated address.

How to eliminate wrong answers

Option A is wrong because the security rule is explicitly stated to allow traffic with the translated IP as the source; a deny action would be inconsistent with the scenario and would not explain the traceroute behavior. Option C is wrong because a missing default route would cause the firewall to have no path to the internet, but the traceroute shows the firewall's internal interface responding, indicating the firewall is reachable and routing is likely present. Option D is wrong because setting the destination zone to 'any' would actually broaden the match and not prevent NAT from being applied; the issue is with the source zone, not the destination zone.

25
Multi-Selecthard

Which THREE are valid methods for User-ID mapping in PAN-OS?

Select 3 answers
B.Netflow collection
C.SNMP traps
D.Active Directory polling
E.Captive Portal
AnswersA, D, E

DHCP snooping maps IP addresses to MAC addresses which are linked to users via authentication.

Why this answer

DHCP snooping is a valid User-ID mapping method because the PAN-OS firewall can act as a DHCP snooping device, listening to DHCPACK messages from the DHCP server. By extracting the client IP address and MAC address from these packets, the firewall can map the IP to a username if the MAC is known via other means (e.g., Active Directory). This method is agentless and works well in environments where DHCP is used for IP address assignment.

Exam trap

The trap here is that candidates often confuse network monitoring protocols like Netflow and SNMP with user identification mechanisms, mistakenly thinking they can provide user-to-IP mappings when they are designed for traffic analysis and device management, respectively.

26
MCQmedium

A firewall has the routing table shown. A packet arrives on ethernet1/2 with source IP 10.0.0.50 and destination IP 10.0.0.100. Which route will be used for forwarding?

A.10.0.0.0/24 via 10.0.0.2 ethernet1/2
B.10.0.1.0/24 via 10.0.0.3 ethernet1/3
C.10.0.0.0/8 via 10.0.0.1 ethernet1/1
D.0.0.0.0/0 via 10.0.0.1 ethernet1/1
AnswerA

Longest prefix match: /24 is more specific than /8.

Why this answer

The firewall performs a longest-prefix match on the routing table. The destination IP 10.0.0.100 matches the 10.0.0.0/24 route (prefix length 24) more specifically than the 10.0.0.0/8 route (prefix length 8) or the default route. Since the packet arrived on ethernet1/2 and the matching route points to the same interface, the route via 10.0.0.2 ethernet1/2 is selected.

Exam trap

The trap here is that candidates often pick the default route or the classful /8 route without considering the longest-prefix match rule, mistakenly assuming that a broader match or the default route is sufficient for forwarding.

How to eliminate wrong answers

Option B is wrong because the destination IP 10.0.0.100 does not fall within the 10.0.1.0/24 subnet; the route is for a different network. Option C is wrong because although 10.0.0.100 is within the 10.0.0.0/8 range, the route has a shorter prefix length (8) than the 10.0.0.0/24 route (24), so the longest-prefix match rule selects the /24 route instead. Option D is wrong because the default route (0.0.0.0/0) is only used when no more specific route matches; here, a specific route (10.0.0.0/24) exists and is preferred.

27
MCQeasy

A security administrator wants to block traffic from IP address 192.168.1.100 to the internet. The firewall has a security policy that allows all outbound traffic. Which action should be taken to most efficiently block this specific host?

A.Configure a Zone Protection profile to block the IP.
B.Create a new security rule with source IP 192.168.1.100 and action 'deny', placed before the allow rule.
C.Apply a QoS policy to limit the bandwidth from that IP to zero.
D.Add the IP to an External Dynamic List and reference it in a security rule.
AnswerB

A simple deny rule is the most efficient method.

Why this answer

Option B is correct because the most efficient way to block a specific host in a Palo Alto Networks firewall is to create a security rule with a source IP of 192.168.1.100 and action 'deny', placed before the existing allow rule. Security rules are evaluated in order from top to bottom, and the first matching rule determines the action; placing the deny rule first ensures the host's traffic is blocked without affecting other traffic.

Exam trap

The trap here is that candidates may think a Zone Protection profile or QoS policy can block a specific host, but these features are designed for different purposes (threat prevention and traffic shaping, respectively) and do not provide the precise, rule-based blocking that a security rule offers.

How to eliminate wrong answers

Option A is wrong because Zone Protection profiles are used to protect against flood attacks, reconnaissance, and other network-based threats at the zone level, not to block specific IP addresses from accessing the internet; they operate on traffic patterns, not individual host policies. Option C is wrong because a QoS policy limits bandwidth but does not block traffic; setting bandwidth to zero would still allow the traffic to be processed and potentially dropped due to congestion, but it is not a reliable or efficient method to block a specific host. Option D is wrong because using an External Dynamic List (EDL) is an indirect method that requires additional configuration and external management, making it less efficient than a direct security rule for blocking a single static IP address.

28
Multi-Selecteasy

Which TWO of the following are valid methods to collect logs from a Palo Alto Networks firewall for reporting and forensics?

Select 2 answers
A.Export to Microsoft Azure Sentinel directly without any intermediate.
B.Local storage on the firewall's management disk (MP) and export via the web interface.
C.SNMPv3 traps for all log types.
D.Email alerts for all threat logs.
E.Syslog to an external log collector.
AnswersB, E

Logs are stored locally and can be exported.

Why this answer

Option B is correct because the firewall's management plane (MP) includes a local log storage partition that can hold logs (e.g., traffic, threat, system) and allows export via the web interface (Monitor > Logs > Export). This provides a built-in method for log collection without requiring external infrastructure. Option E is correct because syslog (UDP/TCP, RFC 3164 or RFC 5424) is a standard protocol supported by Palo Alto firewalls to forward all log types to an external collector for centralized reporting and forensics.

Exam trap

The trap here is that candidates confuse 'log collection' with 'alerting mechanisms' (SNMP traps and email alerts), assuming they can replace full log export, but Palo Alto firewalls require dedicated log forwarding methods (syslog, Panorama, or local export) for complete reporting and forensics.

29
MCQmedium

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. Traffic fails over correctly, but after a failover, existing sessions from external users to internal servers are broken. The security team wants to prevent this disruption. Which feature must be enabled?

A.Link Monitoring
B.Virtual Router Redundancy
C.Session State Synchronization
D.Path Monitoring
AnswerC

Session sync ensures the passive firewall has a copy of active sessions so they survive failover.

Why this answer

Session State Synchronization (option C) is required because it ensures that session table entries—including TCP state, sequence numbers, and application-layer metadata—are replicated from the active firewall to the passive firewall in real time. Without this, after a failover, the newly active firewall has no knowledge of existing sessions, causing it to drop packets and forcing clients to re-establish connections. This feature is specifically designed to maintain stateful session continuity during HA failovers.

Exam trap

The trap here is that candidates confuse high-availability failover mechanisms (like link monitoring or path monitoring) with stateful session replication, assuming that any HA feature will preserve sessions, but only Session State Synchronization specifically copies the session table to the standby device.

How to eliminate wrong answers

Option A is wrong because Link Monitoring only checks the physical link status of interfaces and triggers a failover if a link goes down; it does not replicate session state. Option B is wrong because Virtual Router Redundancy (e.g., VRRP) provides gateway redundancy at Layer 3 but does not synchronize firewall session state; it is unrelated to stateful session preservation. Option D is wrong because Path Monitoring monitors the reachability of specific destination IP addresses (e.g., next-hop gateways) to trigger failover, but it does not synchronize session tables between HA peers.

30
MCQhard

A firewall is configured with multiple virtual systems (vsys). The administrator notices that one vsys is consuming excessive dataplane resources, affecting others. Which feature should be used to guarantee each vsys a minimum share of CPU and session capacity?

A.Packet filtering rules
B.Session limit rules
C.QoS profiles
D.Resource profiles
AnswerD

Resource profiles allocate CPU, session, and memory resources per vsys.

Why this answer

Option D is correct because resource profiles allow you to allocate CPU, session, and memory limits per vsys. Option A (QoS) manages bandwidth, not CPU. Option B (session limits) only restricts session count, not CPU.

Option C (packet filtering) is not a resource allocation feature.

31
MCQmedium

An administrator notices that traffic from zone A to zone B is being dropped silently. Security rules are in place. Troubleshooting shows that the session does not appear in the session table. What is the most likely cause?

A.The traffic is being decrypted by an SSL Forward Proxy rule.
B.The traffic is taking an asymmetric path and the firewall sees only one direction.
C.The traffic is matched by a rule with action 'deny' and logging is disabled.
D.The interzone default rule is set to deny.
AnswerB

Asymmetric routing prevents session setup, causing silent drops.

Why this answer

When traffic is silently dropped and the session does not appear in the session table, it indicates that the firewall never saw the complete three-way TCP handshake or the first packet of the flow. Asymmetric routing causes the firewall to see only one direction of traffic (e.g., only the SYN from zone A to zone B but not the SYN-ACK return), so the firewall cannot create a session entry because it requires both directions to validate the state. This results in a silent drop without any session table entry or log entry.

Exam trap

Palo Alto Networks often tests the misconception that a deny rule or default rule would cause the session to be absent from the session table, but in Palo Alto firewalls, even denied sessions appear in the session table (with a deny action) — the absence of any session entry points specifically to asymmetric routing or a packet that never reached the firewall.

How to eliminate wrong answers

Option A is wrong because SSL Forward Proxy decryption occurs after a session is established and appears in the session table; it does not cause sessions to be absent from the table. Option C is wrong because a deny rule with logging disabled would still create a session entry (with a deny action) in the session table, and the traffic would be logged if logging at session end is enabled; the absence of a session table entry indicates the firewall never processed the session at all. Option D is wrong because the interzone default rule being set to deny would still create a session entry (with a deny action) in the session table, and the traffic would be logged if logging is enabled; the session table would show the denied session, not be empty.

32
MCQhard

Two Palo Alto Networks firewalls are configured in an active/passive HA pair. During a scheduled maintenance, the network team reboots both firewalls simultaneously. After reboot, both firewalls appear as 'active' in the HA state. What is the most likely cause and the correct troubleshooting step?

A.Both firewalls have the same priority; the tie is broken by serial number, but due to simultaneous reboot, both came up as active. The solution is to reboot one firewall.
B.The HA configuration is set to active/active mode instead of active/passive.
C.The heartbeat link between the firewalls is missing or fails, causing each to believe the other is down. The correct step is to restore the heartbeat link and then set the appropriate firewall as passive.
D.The heartbeat interfaces are not configured on each firewall.
AnswerC

Split-brain is usually due to lost heartbeat; restoring it and setting one as passive resolves.

Why this answer

In an active/passive HA pair, each firewall monitors the peer's health via the heartbeat link. If the heartbeat link fails, each firewall assumes the peer is down and transitions to active state to ensure traffic continuity. Simultaneous reboot does not cause both to become active unless the heartbeat link is absent or broken; restoring the heartbeat link and forcing one firewall to passive resolves the split-brain scenario.

Exam trap

The trap here is that candidates assume simultaneous reboot causes a priority tie, but the real issue is the missing heartbeat link, which prevents the firewalls from detecting each other's state after reboot.

How to eliminate wrong answers

Option A is wrong because priority and serial number tie-breaking only apply when both firewalls attempt to become active at the same time with a functional heartbeat; simultaneous reboot does not override the need for heartbeat communication. Option B is wrong because active/active mode would require explicit configuration and would not cause both to appear active after reboot if the heartbeat link were functional; the symptom described matches a heartbeat failure, not a mode misconfiguration. Option D is wrong because the heartbeat interfaces must be configured for HA to function; if they were not configured, the firewalls would not form an HA pair at all, but the question states they are in an HA pair, implying heartbeat interfaces are configured.

33
MCQmedium

A company implements SSL Forward Proxy decryption. Users complain that accessing certain websites, such as video streaming and software updates, is slow. Which action should the administrator take to improve performance?

A.Increase the SSL session cache to 1024.
B.Upgrade the firewall to a higher model.
C.Exclude known high-traffic sites from decryption.
D.Enable SSL session re-use.
AnswerC

Best practice is to exclude categories like streaming and updates from decryption to reduce load.

Why this answer

Option C is correct because excluding known high-traffic sites (e.g., video streaming and software update servers) from SSL Forward Proxy decryption reduces the processing overhead on the firewall. Decrypting and re-encrypting high-volume traffic consumes significant CPU and memory resources, causing latency. By bypassing decryption for these sites, the firewall can forward traffic directly, improving performance without sacrificing security for other traffic.

Exam trap

The trap here is that candidates often focus on optimizing TLS handshake performance (session cache or reuse) rather than recognizing that the primary bottleneck is the decryption of large data payloads, which is unaffected by handshake optimizations.

How to eliminate wrong answers

Option A is wrong because increasing the SSL session cache to 1024 (the maximum supported value) only helps with session reuse for previously decrypted connections, but it does not address the fundamental bottleneck of decrypting high-traffic streams; the cache reduces handshake overhead, not bulk data processing. Option B is wrong because upgrading to a higher model firewall is a costly, long-term solution that does not solve the immediate performance issue; the problem is likely due to decryption of high-volume traffic, not insufficient hardware capacity for normal operations. Option D is wrong because enabling SSL session reuse (via session IDs or session tickets) reduces the number of full TLS handshakes but does not reduce the decryption workload for the actual data transfer; the slowdown is from decrypting large payloads, not from repeated handshakes.

34
MCQeasy

An administrator configures the management interface with IP 192.168.1.1/24 and can ping it from a host on the same subnet, but cannot access the web interface. What is the likely cause?

A.The web server is not running.
B.The host is not in the allowed IP list.
C.The firewall is in FIPS mode.
D.HTTP/HTTPS is not enabled in the interface management profile.
AnswerD

The management profile must explicitly allow HTTP/HTTPS.

Why this answer

Option D is correct because the management interface on a Palo Alto Networks firewall requires an explicit management profile that enables HTTP/HTTPS access. Even if the interface has a valid IP and is reachable via ping (ICMP), the web server will not respond to HTTP/HTTPS requests unless the corresponding services are enabled in the interface management profile. By default, the management interface may have a profile that allows only ping, not web access.

Exam trap

The trap here is that candidates assume a reachable IP (via ping) implies all management services are accessible, but Palo Alto separates ICMP from HTTP/HTTPS in the management profile, so ping success does not guarantee web access.

How to eliminate wrong answers

Option A is wrong because the web server (management web interface) is a built-in service that is always running on the firewall; the issue is not that the server is down, but that access is blocked by the management profile. Option B is wrong because the allowed IP list is a separate access control mechanism that restricts which source IPs can reach the management interface, but the question states the host can ping the interface, so the host is reachable; the problem is that HTTP/HTTPS services are not permitted in the profile, not that the host is excluded from an allow list. Option C is wrong because FIPS mode affects cryptographic algorithms and disables weaker protocols, but it does not prevent HTTP/HTTPS access entirely; if FIPS mode were enabled, HTTPS would still work with FIPS-compliant ciphers, so this would not cause a complete inability to access the web interface.

35
MCQmedium

In an active/passive high-availability pair, the firewall fails over unexpectedly. Investigation shows that the active unit lost connectivity to the upstream router but the link is still up. Which monitoring feature should be configured to prevent false failovers due to temporary router unreachability?

A.Decrease the path monitoring interval
B.HA1 backup link
C.Enable pre-emptive mode
D.Use link monitoring instead of path monitoring
AnswerD

Link monitoring only detects physical link failures, so temporary router unreachability would not trigger failover.

Why this answer

Option D is correct because link monitoring only checks the physical link state of an interface, while path monitoring sends ICMP probes to a target IP address to verify end-to-end reachability. In this scenario, the upstream router is unreachable but the link is still up, so link monitoring would not detect the loss of connectivity and would not trigger a failover. Path monitoring, however, would detect the router unreachability and cause an unnecessary failover, which is exactly the problem described.

Therefore, using link monitoring instead of path monitoring prevents false failovers caused by temporary router unreachability.

Exam trap

The trap here is that candidates often assume path monitoring is always superior because it checks end-to-end connectivity, but they fail to recognize that it can cause unnecessary failovers during transient network issues, whereas link monitoring is more stable for scenarios where only physical link state matters.

How to eliminate wrong answers

Option A is wrong because decreasing the path monitoring interval would make the firewall check for router reachability more frequently, increasing the likelihood of detecting a temporary unreachability and triggering a false failover, not preventing it. Option B is wrong because the HA1 backup link is used for control link redundancy between the firewalls in an HA pair; it does not affect how the firewall monitors upstream router connectivity or prevent false failovers due to router unreachability. Option C is wrong because pre-emptive mode controls whether the previously active firewall automatically resumes active role after it recovers from a failure; it does not address the root cause of false failovers caused by temporary router unreachability.

36
Multi-Selecthard

Which THREE factors are considered when a Palo Alto Networks firewall performs application identification (App-ID) on a session? (Choose three.)

Select 3 answers
A.Application signatures and decrypted content
B.Protocol (TCP/UDP)
C.Source and destination port numbers
D.Destination IP address of the packet
E.Source IP address of the packet
AnswersA, B, C

Signatures and content inspection are key to accurate identification.

Why this answer

App-ID uses multiple factors to identify applications, including application signatures that match traffic patterns and decrypted content when SSL decryption is enabled. Protocol (TCP/UDP) is considered because many applications are tied to specific transport protocols. Source and destination port numbers are also considered, though they are not definitive; they help narrow down the application candidate set.

Exam trap

The trap here is that candidates often assume IP addresses are used in application identification, but App-ID relies solely on transport and application-layer data, not network-layer addressing.

37
MCQeasy

An organization uses GlobalProtect to provide VPN access to remote users. After connecting, users can access internal resources, but the firewall's User-ID does not show the usernames in the logs or policy matches. The GlobalProtect gateway is configured to use the authentication server for user mapping. The authentication server (LDAP) is reachable from the firewall. The firewall's User-ID settings have the 'GlobalProtect' mapping method enabled. What is the most likely reason that users are not being identified?

A.The firewall's security policies are not configured to use User-ID.
B.The GlobalProtect portal is not distributing the correct gateway list.
C.The authentication server profile is not configured with the correct bind password.
D.The GlobalProtect gateway is not configured to collect User-ID information.
AnswerD

The gateway must be enabled to collect and send user mappings to the firewall.

Why this answer

Option D is correct because the GlobalProtect gateway must have the 'Collect User-ID Information' option enabled to send user mapping data to the firewall. Without this setting, the gateway does not forward the authenticated username to the firewall's User-ID agent, so even though the authentication server is reachable and the GlobalProtect mapping method is enabled, the firewall never receives the user-to-IP mapping. This is a common misconfiguration where the gateway authenticates users but fails to propagate the identity information.

Exam trap

The trap here is that candidates assume enabling the GlobalProtect mapping method on the firewall's User-ID settings is sufficient, but they overlook the separate requirement on the gateway to actually collect and forward the user identity information.

How to eliminate wrong answers

Option A is wrong because security policies do not need to explicitly 'use User-ID' as a configuration step; User-ID is a data-plane feature that populates the user-to-IP mapping table, and policies automatically match against that table when user-based conditions are set. Option B is wrong because the portal's gateway list distribution affects which gateways users connect to, not whether the gateway collects and forwards User-ID information. Option C is wrong because the authentication server profile's bind password is used for LDAP connectivity; the question states the LDAP server is reachable, so the bind password is correct, and the issue is specifically about the gateway not collecting User-ID data.

38
MCQeasy

Which Panorama deployment mode allows centralized management of firewalls while storing logs locally on each firewall instead of sending them to the Panorama log collector?

A.Panorama with Dedicated Log Collectors
B.Panorama with Log Collectors
C.Panorama without Log Collectors
D.Panorama in High Availability mode
AnswerC

Firewalls store logs locally; Panorama only manages configurations.

Why this answer

Panorama without Log Collectors is the correct deployment mode because it allows centralized management of firewalls while keeping logs stored locally on each firewall. In this mode, Panorama handles only configuration and policy management, and log collection is disabled, so no logs are forwarded to Panorama. This is ideal for environments where log retention must remain on the firewall due to compliance or bandwidth constraints.

Exam trap

The trap here is that candidates often assume Panorama always requires log forwarding for centralized management, confusing the management plane (configuration/policy) with the data plane (logging), and thus overlook the 'without Log Collectors' mode as a valid deployment option.

How to eliminate wrong answers

Option A is wrong because Panorama with Dedicated Log Collectors requires logs to be sent from firewalls to dedicated collector hardware, not stored locally. Option B is wrong because Panorama with Log Collectors (using the built-in collector on the Panorama appliance) also forwards logs from firewalls to Panorama, not local storage. Option D is wrong because Panorama in High Availability mode is a redundancy configuration that can be used with or without log collectors, and does not inherently change where logs are stored; logs are still sent to Panorama if collectors are configured.

39
Multi-Selectmedium

Which TWO are valid dataplane components in a Palo Alto Networks firewall? (Choose two.)

Select 2 answers
A.Management Plane
B.Session Table
C.Threat Prevention Engine
D.Log Database
E.Packet Buffer
AnswersB, E

The session table is maintained by the dataplane for stateful inspection.

Why this answer

The Session Table is a core dataplane component because it stores stateful session information for all active traffic flows. The dataplane uses this table to perform fast-path forwarding, applying security policies and NAT translations without involving the management plane. Without the session table, the firewall would be unable to maintain stateful inspection, which is fundamental to its operation.

Exam trap

The trap here is that candidates often confuse the Management Plane with the dataplane, or mistakenly think that features like Threat Prevention are separate hardware components rather than software functions running on the dataplane.

40
MCQeasy

A company has configured a security policy that allows HTTP traffic from the internal network 10.0.0.0/8 to the internet. However, users from subnet 10.2.0.0/24 are unable to access external websites. The firewall logs show that traffic from 10.2.0.100 to 203.0.113.1 on port 80 is being denied. Which action should the administrator take to resolve the issue?

A.Modify the existing allow rule to include the entire 10.2.0.0/24 subnet in the source.
B.Change the destination zone of the allow rule to 'any'.
C.Add a new security rule allowing traffic from 10.2.0.0/24 and place it above the existing deny rule.
D.Delete the deny rule that is blocking the traffic.
AnswerC

A rule placed higher in the order matches first. Adding an allow rule above the deny rule will permit the traffic.

Why this answer

Option C is correct because in a stateful firewall like Palo Alto Networks, security rules are evaluated in order from top to bottom, and the first matching rule is applied. If a deny rule exists above any allow rule for the 10.2.0.0/24 subnet, traffic from that subnet will be denied. Adding a new allow rule for 10.2.0.0/24 and placing it above the existing deny rule ensures that HTTP traffic from that subnet is permitted before reaching the deny rule.

Exam trap

The trap here is that candidates assume modifying the existing allow rule or deleting the deny rule will fix the issue, but they overlook the fundamental principle of rule order in a first-match firewall, where a higher-priority deny rule will block traffic even if a lower-priority allow rule exists.

How to eliminate wrong answers

Option A is wrong because the existing allow rule already permits traffic from 10.0.0.0/8, which includes 10.2.0.0/24; the issue is that a deny rule is matching before the allow rule, so modifying the source is unnecessary and does not address the rule order. Option B is wrong because changing the destination zone to 'any' would not resolve the issue, as the problem is not zone-based but rather the rule order and a specific deny rule blocking the traffic. Option D is wrong because deleting the deny rule may be too aggressive and could remove necessary security controls; the proper approach is to add a more specific allow rule above it to override the deny only for the intended subnet.

41
MCQmedium

A security administrator configures a new network template in Panorama and assigns it to a template stack. The template stack is associated with a device group containing several firewalls. After committing the Panorama configuration and pushing to devices, some firewalls in the device group do not have the new template settings. What is the most likely cause?

A.The firewalls that are not receiving the template are not included in the same template stack.
B.The device group has not been committed.
C.The firewalls are not licensed for Panorama management.
D.The template is in 'preview' mode.
AnswerA

Correct. A template stack groups firewalls that share the same template configurations.

Why this answer

In Panorama, templates are assigned to template stacks, and template stacks are then assigned to specific firewalls. If a firewall does not belong to the template stack that contains the new template, it will not receive those settings, regardless of its membership in the device group. Device groups manage policy objects and rules, not network configuration templates.

Exam trap

The trap here is that candidates often confuse device groups (which manage policy) with template stacks (which manage network configuration), assuming that membership in a device group automatically applies all associated templates.

How to eliminate wrong answers

Option B is wrong because the device group commit is separate from template commit; templates are committed as part of the Panorama configuration push, and a missing device group commit would affect policy, not template settings. Option C is wrong because Panorama management does not require a separate license for firewalls; it is a built-in capability of the firewall platform. Option D is wrong because Panorama does not have a 'preview' mode for templates; templates are either committed or not, and preview is a concept for policy rules, not network templates.

42
MCQmedium

Refer to the exhibit. A user attempts to access a banking site (category: finance) over HTTPS. What will happen?

A.The traffic is decrypted because the first rule matches.
B.The traffic is dropped because no rule matches.
C.The traffic is decrypted only if the SSL certificate is installed.
D.The traffic is not decrypted because the second rule matches and overrides the first.
AnswerD

The no-decrypt rule for category finance matches, so decryption is bypassed.

Why this answer

The correct answer is D because the firewall processes security rules from top to bottom, and the second rule explicitly matches HTTPS traffic to the finance category with an action of 'No Decrypt'. Since the second rule matches before any decryption rule, it overrides the first rule's decrypt action, and the traffic is not decrypted.

Exam trap

The trap here is that candidates assume the first matching rule in a decryption policy is always applied, but Palo Alto Networks decryption policies allow a later 'No Decrypt' rule to override an earlier 'Decrypt' rule for the same traffic.

How to eliminate wrong answers

Option A is wrong because the first rule does match the traffic, but the second rule (No Decrypt) is evaluated after the first and overrides it due to rule order precedence; decryption does not occur. Option B is wrong because a rule does match (the second rule), so the traffic is not dropped; it is allowed without decryption. Option C is wrong because SSL certificate installation is irrelevant here; the No Decrypt rule explicitly prevents decryption regardless of certificate presence.

43
MCQhard

A firewall is using App-ID to identify applications running on non-standard ports. The administrator has configured a custom application with a default port of 8080, but traffic on port 8080 is still not being identified correctly. The application uses multiple connections on different ports. What is the most likely cause?

A.The application's timeout value is too short.
B.The application is defined with the wrong protocol (TCP vs UDP).
C.Content-ID is disabled on the security policy.
D.The application requires URL categorization to be enabled.
AnswerB

If the custom application uses TCP but is defined as UDP, App-ID will not match.

Why this answer

Custom applications require both a default port and a protocol type (TCP/UDP). If the protocol is not specified correctly, App-ID may fail. Option A (timeout setting) affects session termination but not identification.

Option B (require URL categorisation) is for HTTP applications. Option D (disabling content-ID) might affect visibility but not basic identification. The issue is likely the protocol definition.

44
MCQhard

A company runs a mixed environment of physical and virtual Palo Alto Networks firewalls (PA-5250, VM-300) managed by a single Panorama. The company recently deployed a new application that uses the QUIC protocol (UDP 443) for performance. After the deployment, the security team notices that the firewall is not accurately identifying the QUIC traffic, and some QUIC sessions are being dropped unexpectedly. The firewall logs show 'application: incomplete' for these sessions. The security team wants to ensure QUIC traffic is properly identified and allowed. The team has configured a security policy rule to allow 'ssl' application (thinking QUIC is similar to SSL) but the problem persists. The firewall is running PAN-OS 10.1. Which of the following is the best course of action?

A.Add a security policy rule to allow the 'quic' application.
B.Upgrade Panorama to the latest version to add QUIC support.
C.Enable SSL decryption on the policy to inspect QUIC traffic.
D.Disable App-ID for the QUIC traffic and use a port-based rule.
AnswerA

Allowing the quic application directly ensures proper identification and handling.

Why this answer

The correct action is to add a security policy rule allowing the 'quic' application because QUIC is a distinct protocol (UDP 443) with its own App-ID in PAN-OS 10.1. The firewall logs showing 'application: incomplete' indicate that App-ID is failing to identify the traffic, often due to a missing rule for the specific application. Allowing 'ssl' does not work because SSL/TLS operates over TCP, while QUIC uses UDP, and the firewall's App-ID engine treats them separately.

Exam trap

The trap here is that candidates assume QUIC is a variant of SSL/TLS and can be allowed by the 'ssl' application, but they overlook that QUIC runs over UDP and has its own distinct App-ID, requiring a separate security rule.

How to eliminate wrong answers

Option B is wrong because upgrading Panorama does not add QUIC support to the firewalls; QUIC App-ID is already available in PAN-OS 10.1, and Panorama is a management tool, not the enforcement point. Option C is wrong because enabling SSL decryption on QUIC traffic is not possible; QUIC is encrypted by design and uses UDP, so the firewall cannot perform man-in-the-middle decryption on it without breaking the protocol. Option D is wrong because disabling App-ID for QUIC traffic and using a port-based rule would bypass application identification entirely, defeating the purpose of accurate traffic classification and potentially allowing unwanted or malicious UDP 443 traffic.

45
MCQeasy

Which component of the PAN-OS architecture is responsible for processing security policies and performing packet inspection?

A.Panorama plane
B.Management plane
C.Data plane
D.Control plane
AnswerC

Data plane processes all packets and enforces security policies.

Why this answer

The data plane is the correct answer because it is the hardware-accelerated component in PAN-OS that handles all packet forwarding, security policy enforcement, and deep packet inspection (including App-ID, Content-ID, and SSL decryption). It operates on a separate processor from the management and control planes to ensure that security processing does not impact management access or routing stability.

Exam trap

The trap here is that candidates confuse the control plane's role in session setup with packet inspection, but the control plane only handles control traffic (e.g., ARP, routing updates) and session table management, not the actual security policy enforcement or deep packet inspection that occurs in the data plane.

How to eliminate wrong answers

Option A is wrong because Panorama is a centralized management platform for multiple firewalls, not a plane within a single PAN-OS firewall; it does not perform packet inspection or enforce security policies directly. Option B is wrong because the management plane handles administrative tasks (CLI, GUI, logging, configuration commits) and does not process live traffic or perform packet inspection. Option D is wrong because the control plane manages routing protocols (e.g., OSPF, BGP), session setup, and high-availability state synchronization, but it does not inspect packet payloads or enforce security rules.

46
Multi-Selecteasy

Which THREE of the following are core components of the GlobalProtect solution? (Choose exactly three.)

Select 3 answers
A.GlobalProtect License Server
B.GlobalProtect Gateway
C.GlobalProtect Client
D.GlobalProtect Mobile App
E.GlobalProtect Portal
AnswersB, C, E

Gateways terminate client connections and enforce policies.

Why this answer

The GlobalProtect solution is built on three core components: the GlobalProtect Portal, GlobalProtect Gateway, and GlobalProtect Client. The Portal manages configuration and authentication, the Gateway provides secure access to internal resources, and the Client is the endpoint software that establishes VPN tunnels. These three work together to enforce security policies and enable remote access.

Exam trap

The trap here is that candidates often mistake the GlobalProtect Mobile App as a core component, but it is simply a variant of the GlobalProtect Client and not one of the three fundamental architectural elements.

47
MCQmedium

A security administrator is troubleshooting a traffic drop between two internal zones. The firewall shows that the session is being terminated with a 'tcp-fin' reason. The administrator verifies that the application is set to 'web-browsing' and the service is 'application-default'. What is the most likely cause of the session termination?

A.The security policy has a deny action for the traffic.
B.The application override is incorrectly configured for the traffic.
C.The traffic is being asymmetrically routed.
D.The zone protection profile is dropping the session.
AnswerB

Application override can cause the firewall to terminate the session if the traffic does not match the expected application.

Why this answer

When an application override is incorrectly configured, the firewall terminates the session with a 'tcp-fin' reason because it cannot match the expected application signature. The 'web-browsing' application expects HTTP traffic, but the actual payload may be non-HTTP (e.g., SSH or custom protocol), causing the firewall to send a TCP FIN to close the session gracefully. This is distinct from a reset (RST) or drop, as the firewall completes the TCP handshake but then terminates due to application mismatch.

Exam trap

Palo Alto Networks often tests the distinction between 'tcp-fin' (graceful close by firewall) and 'tcp-rst' (abrupt termination) to confuse candidates into thinking a deny policy or zone protection is responsible, when the real cause is an application mismatch due to incorrect override configuration.

How to eliminate wrong answers

Option A is wrong because a deny action would result in a 'tcp-reset' or 'deny' session end reason, not 'tcp-fin', and the session would not be established. Option C is wrong because asymmetric routing typically causes session timeouts or 'tcp-rst-from-server' due to out-of-state packets, not a clean 'tcp-fin' termination. Option D is wrong because zone protection profiles drop sessions with reasons like 'zone-protection' or 'packet-buffer-exceeded', not 'tcp-fin', and they operate at a lower layer (e.g., flood protection) rather than application-level termination.

48
MCQhard

An organization uses GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show that the traffic from the GlobalProtect IP pool to internal servers is allowed. What is the most likely cause?

A.The GlobalProtect gateway is not configured with a route to internal network.
B.The internal server's default gateway does not point to the firewall.
C.The client's VPN adapter is not set to use the default gateway on the remote network.
D.The security policy for internal traffic is misconfigured.
AnswerB

Internal servers must route return traffic back through the firewall for stateful inspection.

Why this answer

The most likely cause is that the internal server's default gateway does not point to the firewall. When GlobalProtect clients receive an IP from the VPN IP pool and send traffic to internal servers, the servers must send return traffic back through the firewall to maintain stateful session symmetry. If the server's default gateway points elsewhere (e.g., a core switch), the firewall drops the return traffic because it does not match an existing session, causing connectivity failure despite the firewall logs showing allowed outbound traffic.

Exam trap

The trap here is that candidates see the firewall logs showing allowed traffic and assume the security policy is correct, overlooking the critical requirement for symmetric routing in stateful firewalls.

How to eliminate wrong answers

Option A is wrong because the GlobalProtect gateway does not need a route to the internal network; the firewall already has that route, and the gateway uses the firewall's routing table. Option C is wrong because the client's VPN adapter setting to use the default gateway on the remote network is enabled by default in GlobalProtect and is not the cause of asymmetric routing; disabling it would actually break split-tunneling, not fix the issue. Option D is wrong because the firewall logs explicitly show that traffic from the GlobalProtect IP pool to internal servers is allowed, indicating the security policy is correctly configured.

49
MCQeasy

An administrator needs to allow FTP traffic from the internal network to an external server. The firewall is configured with a security policy that has the application 'ftp' and service 'service-http'. What is the most likely cause of the traffic being denied?

A.The source address is wrong.
B.The application is incorrectly set to ftp.
C.The rule is not enabled.
D.The service object in the rule is set to service-http, which does not match FTP traffic.
AnswerD

FTP uses TCP ports 20 and 21, not HTTP port 80. The service must match the traffic.

Why this answer

The correct answer is D because the security policy's service object is set to 'service-http' (TCP port 80), but FTP traffic uses TCP port 21 for control and TCP port 20 for data. In Palo Alto Networks firewalls, the service object defines the destination port for the traffic; if it does not match the actual port used by the application, the firewall will deny the session even if the application is correctly identified. The mismatch between the service and the application's expected port causes the traffic to be blocked.

Exam trap

The trap here is that candidates may think the application field alone is sufficient to allow traffic, but the service object must also match the destination port; Palo Alto Networks often tests this by pairing a correct application with an incorrect service to see if you understand the dual-layer check.

How to eliminate wrong answers

Option A is wrong because the source address being incorrect would cause traffic to not match the policy at all, but the question states the policy is configured with the application 'ftp' and service 'service-http', implying the source address is not the primary issue. Option B is wrong because the application 'ftp' is correctly set to allow FTP traffic; the problem is not the application but the service mismatch. Option C is wrong because the rule not being enabled would prevent any traffic matching, but the question asks for the most likely cause given the specific configuration details; the service mismatch is a more precise and common issue than a disabled rule.

50
Multi-Selectmedium

Which TWO of the following are true regarding Panorama's templates and device groups?

Select 2 answers
A.Device groups can only contain firewalls of the same model.
B.Templates are used to push network configurations such as interfaces, virtual routers, and zones.
C.Templates override device group settings when both are applied.
D.Panorama cannot manage firewalls in different geographic locations.
E.Shared policies are defined in the 'Shared' device group and are inherited by all other device groups.
AnswersB, E

Templates are for network settings.

Why this answer

Option B is correct because templates in Panorama are specifically designed to manage network-level configurations, including interfaces, virtual routers, zones, and other data-plane settings. This separation allows administrators to apply consistent network settings across multiple firewalls while using device groups for policy-based configurations.

Exam trap

The trap here is confusing the roles of templates and device groups, leading candidates to think templates override device group settings or that device groups are model-specific, when in fact they are independent configuration layers with different purposes.

51
Multi-Selectmedium

Which TWO of the following are mandatory requirements for forming an active/passive HA pair between two Palo Alto Networks firewalls? (Choose exactly two.)

Select 2 answers
A.Both firewalls must be the same hardware model.
B.Both firewalls must have the same number of active VLANs.
C.Both firewalls must run the same PAN-OS version.
D.Both firewalls must use the same management interface IP address.
E.Both firewalls must have identical license subscriptions.
AnswersA, C

Different models are not compatible for HA.

Why this answer

Option A is correct because for an active/passive HA pair, both firewalls must be the same hardware model to ensure identical hardware resources (e.g., CPU, memory, ASICs) and port layouts. This is a mandatory requirement because the HA synchronization process relies on matching hardware capabilities to avoid configuration mismatches and failover failures.

Exam trap

The trap here is that candidates often confuse 'same hardware model' with 'same number of active VLANs' or 'identical licenses,' but Palo Alto Networks only mandates hardware model and PAN-OS version match for HA formation, not configuration or licensing details.

52
MCQhard

A company has a security policy rule that allows application 'ssl' from the internal zone to the external zone. Users report that they cannot access certain HTTPS websites. Logs show that the traffic is being matched by a later rule that denies application 'web-browsing'. The administrator verifies that the target websites are using standard HTTPS (port 443). The firewall's application identification has correctly identified the traffic as 'web-browsing' instead of 'ssl'. What is the most likely reason?

A.The application 'ssl' is only used for SSL control traffic, not encrypted payload.
B.The security rule is misconfigured with the source zone incorrect.
C.The firewall's SSL decryption is enabled and re-identifies the application after decryption.
D.The firewall needs to have App-ID updated to recognize the websites.
AnswerC

After decryption, the firewall inspects the HTTP traffic and reclassifies it as 'web-browsing', which is then denied by a later rule.

Why this answer

Option C is correct because when SSL decryption is enabled, the firewall initially identifies the traffic as 'ssl' based on the SSL handshake. After decrypting the traffic, it re-inspects the HTTP payload and re-identifies the application as 'web-browsing'. This post-decryption re-identification causes the traffic to match a later rule that denies 'web-browsing', even though the initial rule allowed 'ssl'.

Exam trap

The trap here is that candidates assume the application identification remains static after decryption, not realizing that Palo Alto firewalls re-evaluate the application post-decryption, which can cause traffic to match a different rule than the one that matched the initial encrypted session.

How to eliminate wrong answers

Option A is wrong because 'ssl' is indeed used for encrypted payload traffic, not just control traffic; the distinction between 'ssl' and 'web-browsing' is based on whether the firewall can inspect the payload after decryption. Option B is wrong because the source zone is correctly set to internal, as users are accessing from the internal zone and the rule matches that zone; the issue is application re-identification, not zone misconfiguration. Option D is wrong because App-ID has correctly identified the traffic as 'web-browsing' after decryption, so an update would not change the behavior; the problem is the order of rule evaluation and the effect of decryption on application identification.

53
Multi-Selectmedium

Which TWO of the following are minimum required configurations to enable User-ID on a Palo Alto Networks firewall? (Choose exactly two.)

Select 2 answers
A.Configure a server profile for LDAP or other authentication protocol.
B.Deploy a User-ID agent on every domain controller.
C.Enable User-ID on the firewall interface(s) where traffic is received.
D.Install a captive portal to authenticate users.
E.Configure a security policy rule that uses a user group as a source.
AnswersA, C

A server profile is necessary to retrieve user-to-IP mappings.

Why this answer

A is correct because User-ID requires a server profile (e.g., LDAP, Kerberos, or a WMI-based agent) to query the directory service for user-to-IP mappings. Without this profile, the firewall cannot resolve usernames from authentication events or directory lookups, which is the foundational step for User-ID functionality.

Exam trap

The trap here is that candidates often confuse optional enhancements (like captive portal or agent deployment on every DC) with the mandatory foundational components, leading them to select B or D instead of recognizing that only a server profile and interface enablement are strictly required.

54
MCQeasy

Refer to the exhibit. What does the serial number '0123456789' indicate?

A.The MAC address of the management interface
B.The model number of the firewall
C.The firmware version installed
D.The unique hardware identifier for licensing and support
AnswerD

The serial number is used for licensing and technical support identification.

Why this answer

The serial number '0123456789' is a unique hardware identifier assigned to each Palo Alto Networks firewall during manufacturing. It is used for licensing, support entitlement, and device identification in the Palo Alto Networks support portal, not for network-level addressing or software versioning.

Exam trap

The trap here is that candidates often confuse the serial number with the model number or MAC address, especially when the exhibit shows a generic string like '0123456789' that lacks the typical format of a Palo Alto Networks serial number (e.g., starting with 'PA' or a specific prefix).

How to eliminate wrong answers

Option A is wrong because the MAC address of the management interface is a separate, network-layer identifier used for Layer 2 communication, not the serial number. Option B is wrong because the model number (e.g., PA-5250) is a different alphanumeric string that identifies the hardware platform, not the unique serial number. Option C is wrong because the firmware version (e.g., PAN-OS 10.2.3) is a software release identifier displayed in the dashboard or CLI, not the hardware serial number.

55
Multi-Selecteasy

Which TWO components are part of the PAN-OS management plane?

Select 2 answers
A.SSL decryption engine
B.Packet buffer
C.Log collection and reporting
D.Management interface
E.App-ID engine
AnswersC, D

Log collection and reporting are handled by the management plane.

Why this answer

Log collection and reporting is a function of the management plane in PAN-OS. The management plane handles all non-traffic-forwarding tasks, including logging, configuration management, and reporting. This is distinct from the data plane, which processes actual network traffic.

Exam trap

The trap here is that candidates often confuse data plane functions (like SSL decryption, App-ID, and packet buffering) with management plane responsibilities, leading them to select options A, B, or E instead of recognizing that log collection and the management interface are purely management plane components.

56
MCQmedium

A security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?

A.Create separate virtual systems (VSYS) for each tenant on the same firewall.
B.Deploy multiple VM-Series firewalls as separate instances on the same hypervisor.
C.Use active/active HA mode to assign each tenant to a different firewall.
D.Configure multiple virtual routers (VRFs) within the same virtual system.
AnswerA

VSYS provides complete logical separation of configuration, routing, and policies per tenant.

Why this answer

Virtual systems (VSYS) allow a single Palo Alto Networks firewall to be partitioned into multiple independent logical firewalls, each with its own routing table, security policies, and administrative domains. This enables tenant isolation on a single HA pair without requiring separate hardware or instances, making option A correct for the described requirement.

Exam trap

The trap here is that candidates often confuse virtual routers (VRFs) with full tenant isolation, not realizing that VRFs only separate routing tables, while VSYS provides complete separation of policies, objects, and administration required for multi-tenant environments.

How to eliminate wrong answers

Option B is wrong because deploying multiple VM-Series firewalls as separate instances on the same hypervisor would require separate management and licensing for each instance, defeating the purpose of using a single HA pair and increasing complexity. Option C is wrong because active/active HA mode does not assign tenants to different firewalls; both firewalls in an active/active pair share the same configuration and forward traffic together, so tenant isolation would still require VSYS or other segmentation. Option D is wrong because multiple virtual routers (VRFs) within the same virtual system can separate routing tables but do not isolate security policies, administrative access, or other tenant-specific configurations; VSYS is required for full tenant isolation.

57
Multi-Selectmedium

Which two are valid methods for collecting User-ID information on a Palo Alto Networks firewall? (Choose two.)

Select 2 answers
A.Syslog parsing
B.Email gateway
C.Active Directory agent
D.SNMP trap
E.Captive portal
AnswersC, E

The AD agent polls domain controllers for user logon events.

Why this answer

Option C is correct because the Active Directory agent is a dedicated software component that integrates with Microsoft Active Directory to map user logon events to IP addresses, providing real-time User-ID information to the firewall. Option E is correct because Captive Portal actively authenticates users via browser-based or agent-based authentication, associating their IP address with a username upon successful login, which is a direct method for collecting User-ID data.

Exam trap

The trap here is that candidates often confuse Syslog parsing or SNMP traps as valid User-ID sources because they are common in other security contexts, but Palo Alto Networks specifically requires authentication-based methods like AD agent, Captive Portal, or XFF headers for User-ID collection.

58
MCQmedium

A firewall has two virtual routers: VR1 (for internal networks) and VR2 (for DMZ). An internal server in VR1 needs to reach a DMZ server in VR2. Both virtual routers have routes to each other's subnets via a shared inter-connect. The firewall is receiving traffic but is dropping packets between the virtual routers. What configuration is missing?

A.Redistribution of routes between the virtual routers
B.Enabling packet forwarding on the virtual router interfaces
C.A security policy allowing traffic between the zones associated with the virtual routers
D.A static route on both virtual routers pointing to each other's subnets
AnswerC

Traffic between VRs may involve different zones; without an allow policy, packets are dropped.

Why this answer

In Palo Alto Networks firewalls, virtual routers handle routing decisions independently, but traffic between zones (e.g., internal and DMZ) must be explicitly allowed by a security policy. Even if routes exist between VR1 and VR2, the firewall will drop inter-zone traffic without a policy that permits the session. This is a fundamental security enforcement mechanism that separates routing from access control.

Exam trap

The trap here is that candidates confuse routing (Layer 3) with security policy (Layer 4-7), assuming that if routes exist, traffic will flow, but Palo Alto firewalls enforce zone-based policies independently of routing.

How to eliminate wrong answers

Option A is wrong because route redistribution is not required when static or direct routes already exist between the virtual routers; redistribution is used to share routes dynamically between routing protocols, not to enable packet forwarding. Option B is wrong because packet forwarding is enabled by default on virtual router interfaces in Palo Alto firewalls; there is no separate 'enable forwarding' toggle. Option D is wrong because the question states both virtual routers already have routes to each other's subnets via a shared inter-connect, so adding more static routes would be redundant and not address the packet drop.

59
MCQhard

An organization is deploying a pair of PA-5250 firewalls in active/passive high availability. The network team notices that the passive firewall is not receiving synchronization updates. Both devices have the same software version and licenses. The HA1 control link is connected and shows 'up' in 'show high-availability state'. What is the most likely reason for the synchronization failure?

A.The HA2 link is not configured or is down.
B.The HA1 link is using a crossover cable instead of a straight-through cable.
C.The link speeds on the active and passive firewalls do not match.
D.The passive firewall is not in a 'passive' state.
AnswerA

Session synchronization requires HA2 link to be configured and operational.

Why this answer

The HA2 link is used for session synchronization in active/passive HA configurations. Even if the HA1 control link is up and passing heartbeats, without a functioning HA2 link, the passive firewall will not receive session state updates. The 'show high-availability state' command only confirms HA1 status, not HA2.

Exam trap

The trap here is that candidates assume a working HA1 control link implies full HA functionality, but the HA2 link is a separate requirement for session synchronization in active/passive mode.

How to eliminate wrong answers

Option B is wrong because the HA1 link uses a crossover cable for direct connections between firewalls (no switch), and a straight-through cable would be incorrect; this would cause the link to fail, but the question states the HA1 link is 'up'. Option C is wrong because mismatched link speeds on HA interfaces can cause errors or flapping, but the HA1 link is already up, and speed mismatch does not prevent synchronization specifically—it would affect the link state. Option D is wrong because if the passive firewall were not in a 'passive' state, the HA pair would not form, and the active firewall would not attempt to send synchronization updates; the question implies the pair is formed since HA1 is up.

60
Multi-Selectmedium

Which TWO statements correctly describe the role of the data plane in PAN-OS architecture?

Select 2 answers
A.It performs content inspection.
B.It runs routing protocols like OSPF.
C.It handles all packet forwarding and security processing.
D.It stores log files.
E.It manages the web interface and CLI.
AnswersA, C

Content inspection (e.g., threat prevention) is performed by the data plane.

Why this answer

Option A is correct because the data plane performs content inspection, including threat prevention, URL filtering, and application identification, using the single-pass software architecture to scan traffic in real time. This is a core function of the data plane, separate from the control and management planes.

Exam trap

The trap here is confusing the data plane with the control plane or management plane, as candidates often assume that routing protocols or logging are part of packet forwarding, when in PAN-OS they are strictly separated.

61
MCQeasy

A company uses Policy-Based Forwarding (PBF) to route specific traffic from internal users to a partner network through an MPLS connection. The PBF rule is configured to match source addresses 10.1.1.0/24 and forward to a next-hop of 10.2.1.1. The administrator verifies that the MPLS router is reachable from the firewall. Traffic from the 10.1.1.0/24 network does not go through the MPLS link; instead, it takes the default route out the internet connection. Logs show that the traffic hits the PBF rule. What is the most likely issue?

A.The PBF rule is missing the egress interface configuration; it only specifies the next-hop IP.
B.The PBF rule's source zone is misconfigured.
C.The firewall's routing table does not have a route to the partner network via the MPLS router.
D.The PBF rule does not include a security policy to allow the traffic.
AnswerA

PBF requires the next-hop and interface; if only IP is set, the firewall may not know which interface to use, defaulting to routing table.

Why this answer

Option A is correct because a PBF rule in PAN-OS requires both a next-hop IP and an egress interface to be explicitly configured. Without the egress interface, the firewall cannot determine which physical or logical interface to use for forwarding the matched traffic, so it falls back to the default route. Even though the traffic hits the PBF rule, the missing interface configuration prevents the policy-based forwarding from taking effect.

Exam trap

The trap here is that candidates assume specifying only the next-hop IP is sufficient for PBF, similar to a static route, but PAN-OS requires both the next-hop and the egress interface for policy-based forwarding to function correctly.

How to eliminate wrong answers

Option B is wrong because the logs confirm that the traffic hits the PBF rule, which means the source zone matching is already working correctly; a misconfigured source zone would prevent the rule from being matched at all. Option C is wrong because PBF overrides the routing table for matched traffic; the firewall does not need a separate route to the partner network via the MPLS router—the PBF rule itself provides the forwarding decision. Option D is wrong because security policies are evaluated after PBF; if the traffic hits the PBF rule, it has already passed the security policy check, so a missing security policy would block the traffic entirely, not cause it to take the default route.

62
MCQmedium

An organization wants to map user identity from Active Directory for traffic coming from internal LAN users without installing any agent on domain controllers. Which User-ID mapping method should be used?

A.Active Directory polling
B.XML API
C.Terminal Services Agent
D.Captive Portal
AnswerA

Active Directory polling retrieves user-IP mappings from domain controller logs.

Why this answer

Active Directory polling is the correct method because it allows the Palo Alto Networks firewall to retrieve user-to-IP mappings directly from Active Directory domain controllers using LDAP queries, without requiring any agent installation. This method polls the security event logs on domain controllers to map authenticated users to their IP addresses, making it ideal for environments where agentless user identification is desired for internal LAN traffic.

Exam trap

The trap here is that candidates often confuse Terminal Services Agent with a general agentless solution, but it is actually a specialized agent for multi-user environments, not a method for mapping standard LAN users without installing software.

How to eliminate wrong answers

Option B (XML API) is wrong because the XML API is used for programmatic configuration and data retrieval from the firewall, not for real-time user mapping from Active Directory. Option C (Terminal Services Agent) is wrong because it is specifically designed to map users in Terminal Services or Citrix environments where multiple users share a single IP address, not for general LAN user mapping without an agent. Option D (Captive Portal) is wrong because it requires end-user interaction via a web browser to authenticate, which is not suitable for transparently mapping existing Active Directory users without installing an agent.

63
MCQhard

An administrator runs the commands and sees the output. The session shows an SSL application from trust to untrust. However, the traffic is actually a custom application over TCP 44321 that the firewall incorrectly identifies as SSL. Which configuration step will most accurately identify the custom application?

A.Disable SSL inspection on the security policy for this traffic.
B.Create an application override policy for this traffic to mark it as the custom application.
C.Enable SSL decryption on the traffic to inspect the payload.
D.Define a custom application object with the correct protocol signature and protocol type.
AnswerD

A custom application object allows the firewall to accurately identify the traffic based on its actual protocol characteristics.

Why this answer

Option D is correct because the firewall is misidentifying the custom application as SSL due to the use of TCP port 44321, which falls within the default SSL port range. By defining a custom application object with the correct protocol signature (e.g., a protocol decoder or pattern match) and specifying the protocol type (e.g., TCP), the firewall can accurately classify the traffic based on actual payload characteristics rather than relying on port-based heuristics.

Exam trap

The trap here is that candidates often confuse application override (which forces classification) with custom application definition (which teaches the firewall to correctly identify the traffic), leading them to choose Option B instead of D.

How to eliminate wrong answers

Option A is wrong because disabling SSL inspection does not change how the firewall identifies the application; it only prevents decryption, leaving the misclassification intact. Option B is wrong because an application override policy forces the firewall to treat the traffic as the custom application regardless of the actual payload, which bypasses proper identification and can lead to security policy misapplication; it does not teach the firewall to correctly identify the application. Option C is wrong because enabling SSL decryption would attempt to decrypt traffic that is not actually SSL (since it is a custom application over TCP 44321), causing decryption failures and potential session drops, and it does not correct the underlying application identification.

64
MCQhard

A firewall's dataplane CPU is consistently at 95% utilization even though session count is normal. Analysis shows that a large number of small packets are being processed. Which feature could be causing excessive dataplane processing?

A.Log forwarding to Panorama
B.User-ID agent polling
C.Fragmented packet reassembly
D.SSL Decryption with Forward Proxy
AnswerC

Reassembling many small fragmented packets consumes significant dataplane CPU.

Why this answer

Fragmented packet reassembly forces the dataplane to buffer and reassemble IP fragments before performing security policy checks. This process is CPU-intensive, especially when handling a high volume of small fragments, and can drive dataplane utilization to 95% even when the session count is normal. The firewall must allocate resources to track and reassemble each fragmented datagram, which explains the excessive processing.

Exam trap

The trap here is that candidates often associate high dataplane CPU with SSL decryption or logging, but the key clue is 'large number of small packets' — a classic indicator of fragmentation-related processing overhead, not encryption or management tasks.

How to eliminate wrong answers

Option A is wrong because log forwarding to Panorama is a management-plane task that does not consume dataplane CPU cycles; it uses the management plane or a dedicated logging interface. Option B is wrong because User-ID agent polling is a control-plane function that collects user mappings from domain controllers and does not directly affect dataplane packet processing. Option D is wrong because SSL Decryption with Forward Proxy, while CPU-intensive, typically manifests as high utilization during TLS handshake and decryption of large payloads, not from processing a large number of small packets; the symptom of small packets points to fragmentation, not SSL.

65
Matchingmedium

Match each log type to its content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Records session start, end, and bytes transferred

Logs blocked malware, exploits, or spyware

Logs web requests and category matches

Tracks files sent for cloud analysis

Records administrative actions and system events

Why these pairings

These log types are available in Palo Alto Networks firewalls.

66
MCQhard

Refer to the exhibit. What does the 'Session End Reason: aged-out' indicate about the traffic?

A.The session was terminated by a firewall policy.
B.The session was idle for longer than the timeout threshold.
C.The session was forcibly closed by an administrator.
D.The session ended due to a TCP FIN/RST from the client.
AnswerB

Aged-out indicates the session was idle and reached the timeout.

Why this answer

The 'Session End Reason: aged-out' indicates that the firewall terminated the session because it remained idle for longer than the configured timeout threshold. Palo Alto Networks firewalls use application-specific timeouts (e.g., TCP default 3600 seconds, UDP 30 seconds) to free resources from sessions that have stopped transmitting data. This is a normal cleanup mechanism, not a policy or explicit termination.

Exam trap

Palo Alto Networks often tests the misconception that 'aged-out' means the session was terminated by a security policy or explicit reset, but the trap here is that 'aged-out' specifically refers to an idle timeout, not a policy action or TCP handshake termination.

How to eliminate wrong answers

Option A is wrong because a firewall policy termination would show 'Session End Reason: policy-deny' or similar, not 'aged-out'. Option C is wrong because an administrator forcibly closing a session would generate a 'Session End Reason: admin-reset' or 'session-manager clear session' event. Option D is wrong because a TCP FIN/RST from the client would result in 'Session End Reason: tcp-fin' or 'tcp-rst', not 'aged-out', which specifically indicates idle timeout.

67
Drag & Dropmedium

Arrange the steps to perform a factory reset on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Factory reset clears all configurations and reboots the device.

68
MCQmedium

A Palo Alto Networks firewall is configured with multiple virtual routers. Traffic between two different virtual routers is not being forwarded. What is required to enable routing between them?

A.Configure a zone protection profile.
B.Configure a static route between the virtual routers.
C.Enable inter-VR routing with a security policy.
D.Use a virtual wire to connect them.
AnswerC

Traffic between virtual routers must be explicitly allowed by a security policy with the correct zones.

Why this answer

By default, Palo Alto Networks firewalls isolate traffic between virtual routers (VRs) to enforce segmentation. To allow inter-VR routing, you must explicitly enable it by creating a security policy that permits the traffic between the zones associated with each VR. This policy acts as the routing decision point, allowing the firewall to forward packets from one VR to another.

Exam trap

The trap here is that candidates often assume static routes can be configured between virtual routers, but Palo Alto does not support inter-VR static routes; instead, inter-VR routing is controlled solely by security policies.

How to eliminate wrong answers

Option A is wrong because zone protection profiles are used to defend against network-based attacks (e.g., floods, reconnaissance) and do not control routing between virtual routers. Option B is wrong because static routes are defined within a single virtual router to direct traffic to next-hop destinations; they cannot be configured between VRs as VRs are independent routing tables. Option D is wrong because a virtual wire is a Layer 2 transparent mode that forwards frames without routing, and it cannot connect two virtual routers which operate at Layer 3.

69
MCQeasy

A network engineer is configuring a new PA-220 firewall. They need to allow HTTP traffic from the 'trust' zone to the 'untrust' zone. However, the traffic is being dropped. A packet capture shows that the SYN packet is received but no SYN-ACK is sent. What is the most likely cause?

A.There is no NAT policy to translate the source IP.
B.The destination IP is not reachable from the firewall.
C.The firewall is not configured to inspect HTTP traffic.
D.The security policy does not have an allow rule for HTTP.
AnswerB

If the firewall cannot route to the destination, it will drop the SYN.

Why this answer

The packet capture shows the SYN packet is received by the firewall but no SYN-ACK is sent. This indicates the firewall is not completing the TCP three-way handshake. The most common cause is that the destination IP is not reachable from the firewall, meaning the firewall cannot route the SYN packet to the next hop or the destination host is down.

In this scenario, the firewall drops the SYN packet silently without generating a SYN-ACK because it cannot establish a session.

Exam trap

The trap here is that candidates often assume a missing security policy or NAT rule is the cause when a SYN packet is received but no SYN-ACK is sent, but the correct diagnostic is to check routing and destination reachability first.

How to eliminate wrong answers

Option A is wrong because a missing NAT policy would cause the source IP to remain private, but the firewall would still forward the SYN packet and expect a SYN-ACK from the destination; the issue here is that no SYN-ACK is sent at all, which points to a routing or reachability problem, not NAT. Option C is wrong because HTTP inspection is not required for basic HTTP traffic to pass; the firewall can forward HTTP traffic with a simple allow rule and no application inspection. Option D is wrong because if the security policy lacked an allow rule, the firewall would drop the SYN packet and typically generate a deny log entry, but the packet capture shows the SYN packet is received, meaning the security policy is not the issue; the problem is that the firewall cannot forward the packet to the destination.

70
MCQhard

An enterprise requires separate administrative domains within a single firewall chassis for different business units. Each domain must have its own virtual router, security policies, and interface configuration. What is the appropriate PAN-OS feature?

A.Administrative roles with RBAC
B.Multiple contexts
C.Multiple virtual routers
D.Multiple virtual systems (vsys)
AnswerD

Virtual systems enable multi-tenancy with separate configurations per tenant.

Why this answer

Option D is correct because Virtual Systems (vsys) are the PAN-OS feature that enables partitioning a single physical firewall into multiple independent virtual firewalls. Each vsys operates with its own virtual router, security policies, and interface configuration, meeting the requirement for separate administrative domains for different business units within one chassis.

Exam trap

The trap here is confusing the Cisco term 'multiple contexts' with PAN-OS Virtual Systems, as candidates familiar with Cisco firewalls may incorrectly select Option B, not realizing that PAN-OS uses a different terminology and architecture for multi-tenancy.

How to eliminate wrong answers

Option A is wrong because Administrative roles with RBAC control user permissions and access to the firewall's management functions, but they do not create separate network domains with independent virtual routers, policies, or interfaces. Option B is wrong because 'Multiple contexts' is a Cisco ASA/Firepower term for virtual firewalls, not a PAN-OS feature; PAN-OS uses Virtual Systems (vsys) for this purpose. Option C is wrong because Multiple virtual routers allow separate routing tables within a single firewall instance, but they do not provide isolated security policies, interfaces, or administrative domains—all virtual routers share the same vsys context unless combined with vsys.

71
MCQmedium

During a traffic spike, the firewall CPU utilization remains below 30% but the dataplane packet buffer usage is consistently above 90%. What is the most likely impact on firewall performance?

A.Reduced new session setup rate.
B.Reduced committed information rate (CIR) on QoS policies.
C.Increased latency for management access.
D.Increased packet drops due to buffer exhaustion.
AnswerD

When packet buffers are full, new packets are dropped.

Why this answer

When dataplane packet buffer usage exceeds 90% during a traffic spike, the firewall's packet buffers are nearly exhausted, leading to a condition where incoming packets cannot be stored temporarily for processing. This directly causes packet drops because the dataplane has no available buffers to enqueue new packets, even though CPU utilization remains low. Option D correctly identifies this as the primary impact, as buffer exhaustion results in tail-drop behavior for new packets.

Exam trap

The trap here is that candidates often assume high packet buffer usage automatically implies high CPU utilization, but the PCNSE exam tests the understanding that dataplane buffer exhaustion and CPU utilization are independent metrics, and buffer drops can occur even when CPU is idle.

How to eliminate wrong answers

Option A is wrong because reduced new session setup rate is typically caused by high CPU utilization or session table exhaustion, not by high packet buffer usage; the CPU is below 30%, so session setup should not be impaired. Option B is wrong because the committed information rate (CIR) on QoS policies is a traffic-shaping parameter that is not directly affected by packet buffer usage; QoS policies enforce bandwidth limits regardless of buffer occupancy. Option C is wrong because increased latency for management access is associated with high control-plane CPU or management-plane congestion, not with dataplane buffer exhaustion; management traffic uses separate queues and resources.

72
MCQeasy

An organization wants to simplify firewall rule management by grouping related rules into logical units and applying them to specific sets of users or devices. Which Palo Alto Networks feature supports this requirement?

A.Security profiles
B.Security zones
C.Security policy rule groups
D.Application groups
AnswerC

Rule groups allow logical grouping of rules and assignment to user/device groups.

Why this answer

Security policy rule groups allow administrators to organize related firewall rules into logical units, which can then be applied to specific users or devices via policy-based forwarding or rule placement. This feature simplifies management by grouping rules that share a common purpose, such as those for a particular department or application, and enables targeted application without manual rule reordering. It directly addresses the requirement for logical grouping and selective application to users or devices.

Exam trap

The trap here is that candidates often confuse 'security policy rule groups' with 'application groups' or 'security zones', thinking that grouping applications or interfaces is equivalent to grouping the rules themselves, but only rule groups provide the logical unit structure for rule management and user/device targeting.

How to eliminate wrong answers

Option A is wrong because security profiles are components of security policy rules that define threat prevention, URL filtering, or file blocking actions, not a mechanism for grouping rules into logical units. Option B is wrong because security zones are logical interfaces that segment network traffic based on trust levels (e.g., untrust-L3, trust-L3), but they do not group rules themselves; they are used as source/destination criteria within rules. Option D is wrong because application groups are collections of applications used in policy rules to simplify application identification, but they do not group the rules themselves into logical units for management or user/device targeting.

73
MCQhard

A multinational organization uses a pair of PA-5250 firewalls in an active/passive high-availability configuration across two data centers. They need to ensure that all management traffic (SSH, HTTPS) to the firewalls is encrypted and sourced only from a dedicated management network (10.10.0.0/24). Which configuration meets these requirements?

A.Configure the firewall to use a dedicated management port and enable IP whitelisting in device settings.
B.Configure an interface management profile allowing SSH and HTTPS only from 10.10.0.0/24 and apply it to the management interface.
C.Use a loopback interface with an IP from the management subnet and attach an interface management profile.
D.Create a security policy allowing management access from 10.10.0.0/24 to the firewall's IP addresses.
AnswerB

The management interface can be restricted to specific IPs using the interface management profile under Device > Setup > Management.

Why this answer

Option B is correct because an interface management profile restricts allowed management services (SSH, HTTPS) to specific source IP addresses or subnets, and applying it to the management interface ensures only traffic from 10.10.0.0/24 can reach the firewall for encrypted management. This directly meets the requirement for encryption (SSH/HTTPS are inherently encrypted) and source restriction without relying on security policies, which do not control management-plane access.

Exam trap

The trap here is that candidates often confuse data-plane security policies with management-plane access control, incorrectly assuming a security rule can restrict SSH/HTTPS to the firewall itself, when in fact interface management profiles are the only mechanism for that purpose on Palo Alto firewalls.

How to eliminate wrong answers

Option A is wrong because enabling IP whitelisting in device settings is not a valid configuration on Palo Alto Networks firewalls; there is no such global whitelist feature—access control for management services is done via interface management profiles, not a device-level whitelist. Option C is wrong because a loopback interface with an IP from the management subnet would not inherently restrict source access; the interface management profile would still need to be applied to the loopback, and loopback interfaces are not typically used for out-of-band management traffic in a dedicated management network scenario. Option D is wrong because security policies control data-plane traffic (e.g., user traffic passing through the firewall), not management-plane traffic (SSH/HTTPS to the firewall itself); management access is governed by interface management profiles, not security rules.

74
MCQmedium

A firewall is configured with a destination NAT rule to translate public IP 203.0.113.10 to internal server 10.0.0.5 on port 443. Internal users from 10.0.0.0/24 can access the server using its private IP, but cannot access using the public IP. What should be configured to allow internal users to reach the server using the public IP?

A.Configure a source NAT rule that translates the internal source IP to the firewall's interface IP when the destination is the public IP.
B.Create a policy-based forwarding (PBF) rule to send the traffic to the server.
C.Add a security policy allowing traffic from internal zone to the public IP.
D.Add a static route on the firewall for the public IP pointing to the internal server.
AnswerA

This hairpin NAT rule ensures reply traffic goes through the firewall.

Why this answer

Option A is correct because when internal users send traffic to the public IP (203.0.113.10), the firewall performs destination NAT, translating the destination to 10.0.0.5. However, the return traffic from the server is sent directly to the internal user's IP (since they are on the same subnet), bypassing the firewall and causing asymmetric routing. A source NAT rule (often called NAT hairpin or NAT reflection) translates the internal source IP to the firewall's interface IP, forcing return traffic to go through the firewall and maintain session state.

Exam trap

The trap here is that candidates often think a security policy or route is sufficient, but they miss the fundamental requirement for symmetric routing in stateful firewalls, where the return traffic must traverse the same firewall that performed the NAT.

How to eliminate wrong answers

Option B is wrong because policy-based forwarding (PBF) is used to route traffic based on criteria like source/destination IP or application, not to solve NAT hairpin issues; it would not fix the asymmetric routing problem. Option C is wrong because a security policy alone does not address the NAT or routing issue; the traffic is already allowed if the server is reachable via private IP, and the problem is that the return traffic bypasses the firewall. Option D is wrong because adding a static route for the public IP pointing to the internal server would cause the firewall to route traffic directly to the server without performing NAT, breaking the translation and potentially causing routing loops or incorrect forwarding.

75
MCQmedium

A network engineer is configuring App-ID for a custom application that uses a proprietary protocol over TCP port 12345. The application's traffic is not being identified as expected. Which configuration change should the engineer make to ensure the firewall correctly identifies this application?

A.Create a security policy rule with an application override to match the port.
B.Define a custom application with the appropriate protocol, port, and optionally a signature.
C.Enable SSL decryption on the traffic to inspect encrypted payloads.
D.Add the port to the default application's 'port' field in the application object.
AnswerB

Custom application objects allow the firewall to identify the traffic based on port and/or signature.

Why this answer

Option B is correct because when a custom application uses a proprietary protocol over a non-standard port, the firewall cannot rely on its built-in App-ID signatures. By defining a custom application object with the correct protocol (TCP), port (12345), and optionally a protocol-level signature (e.g., a byte pattern or sequence), the firewall can accurately identify the traffic. This ensures that App-ID can match the traffic even if the port is not commonly associated with any known application.

Exam trap

The trap here is that candidates often confuse 'application override' (which disables App-ID) with 'custom application' (which enhances App-ID), leading them to choose option A when they should instead define a new application object with the correct port and signature.

How to eliminate wrong answers

Option A is wrong because an application override bypasses App-ID entirely, forcing the firewall to treat all traffic on that port as the specified application, which defeats the purpose of dynamic identification and can lead to misclassification or security gaps. Option C is wrong because SSL decryption is irrelevant for a proprietary protocol that does not use TLS/SSL; decrypting encrypted payloads would not help if the traffic is not encrypted or if the protocol is not HTTP-based. Option D is wrong because modifying the default application's 'port' field would incorrectly associate a custom protocol with a built-in application, potentially causing false positives and breaking App-ID's ability to distinguish between applications.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Core Concepts Architecture questions.