KillTest

*KIJGT  3 WCNKV [   $ GV V GT  5 GT X KE G

Q&A

NZZV ]]]QORRZKYZIUS

=KULLKXLXKK[VJGZKYKX\OIKLUXUTK_KGX
 The safer , easier way to help you pass any IT exams.

Exam : PCNSE

Title : Palo Alto Networks Certified

Network Security Engineer
Exam

Version : V23.02

1 / 92
 The safer , easier way to help you pass any IT exams.

1.The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive
HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General >
Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active
firewall.
Why is the AE interface showing down on the passive firewall?
A. It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the
High Availability Options on the LACP tab of the AE Interface.
B. It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP
selection on the LACP tab of the AE Interface.
C. It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable
LACP selection on the LACP tab of the AE Interface.
D. It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP
selection on the LACP tab of the AE Interface.
Answer: A

2.An administrator is building Security rules within a device group to block traffic to and from malicious
locations
How should those rules be configured to ensure that they are evaluated with a high priority?
A. Create the appropriate rules with a Block action and apply them at the top of the Default Rules
B. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.
C. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security
rules.
D. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules
Answer: D

3.An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports.
The configuration problem seems to be on the firewall.
Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the
NGFW to Panorama?
A)

2 / 92
 The safer , easier way to help you pass any IT exams.

B)

C)

D)

A. Option A
B. Option B
C. Option C
D. Option D

3 / 92
 The safer , easier way to help you pass any IT exams.

Answer: C A is correct answer

4.Which benefit do policy rule UUlDs provide?

A. An audit trail across a policy's lifespan
B. Functionality for scheduling policy actions
C. The use of user IP mapping and groups in policies
D. Cloning of policies between device-groups
Answer: A

5.Which three items are import considerations during SD-WAN configuration planning? (Choose three.)
A. link requirements
B. the name of the ISP
C. IP Addresses
D. branch and hub locations
Answer: A,C,D
Explanation:
https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-
configuration

6.A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
A. Virtual router
B. Security zone
C. ARP entries
D. Netflow Profile
Answer: A,B
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-
help/network/network-interfaces/pa-7000-series- layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd-
8064499f5b9d
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK
VLAN interface is not necessary but in this scenarion we assume it is. Create VLAN object, VLAN
interface and VLAN Zone. Attach VLAN interface to VLAN object together with two L2 interfaces then
attach VLAN interface to virtual router. Without VLAN interface you can pass traffic between interfaces
on the same network and with VLAN interface you can route traffic to other networks.

7.Which time determines how long the passive firewall will wait before taking over as the active firewall
alter losing communications with the HA peer?

4 / 92
 The safer , easier way to help you pass any IT exams.

A. Heartbeat Interval
B. Additional Master Hold Up Time
C. Promotion Hold Time
D. Monitor Fall Hold Up Time
Answer: A C is correct answer

8.An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)
A. Syslog
B. XFF Headers
C. Client probing
D. Server Monitoring
Answer: A,B

9.What are three reasons for excluding a site from SSL decryption? (Choose three.)
A. the website is not present in English
B. unsupported ciphers
C. certificate pinning
D. unsupported browser version
E. mutual authentication
Answer: B,C,E
Explanation:
Reasons that sites break decryption technically include pinned certificates, client authentication,
incomplete certificate chains, and unsupported ciphers. https://docs.paloaltonetworks.com/pan-os/10-
1/pan-os-admin/decryption/decryption-exclusions/exclude-a-server-from-decryption.html

5 / 92
 The safer , easier way to help you pass any IT exams.

10.A security engineer received multiple reports of an IPSec VPN tunnel going down the night before.
The engineer couldn't find any events related to VPN under system togs.
What is the likely cause?
A. Dead Peer Detection is not enabled.
B. Tunnel Inspection settings are misconfigured.
C. The Tunnel Monitor is not configured.
D. The log quota for GTP and Tunnel needs to be adjusted
Answer: C
Explanation:
This means that the firewall does not have a mechanism to monitor the status of the IPSec VPN tunnel
and generate logs when it goes down or up. The Tunnel Monitor is an optional feature that can be
enabled on each IPSec tunnel interface and it uses ICMP probes to check the connectivity of the tunnel
peer. If the firewall does not receive a response from the peer after a specified number of retries, it
marks the tunnel as down and logs an event1.

11.In the screenshot above which two pieces of information can be determined from the ACC
configuration shown? (Choose two)

A. The Network Activity tab will display all applications, including FTP.
B. Threats with a severity of "high" are always listed at the top of the Threat Name list
C. Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type
D. The ACC has been filtered to only show the FTP application
Answer: A,C

12.An engineer receives reports from users that applications are not working and that websites are only
partially loading in an asymmetric environment. After investigating, the engineer observes the
flow_tcp_non_syn_drop counter increasing in the show counters global output.
Which troubleshooting command should the engineer use to work around this issue?
A. set deviceconfig setting tcp asymmetric-path drop
B. set deviceconfig setting session tcp-reject-non-syn no
C. set session tcp-reject-non-syn yes

6 / 92
 The safer , easier way to help you pass any IT exams.

D. set deviceconfig setting tcp asymmetric-path bypass

Answer: B
Explanation:
To work around this issue, one possible troubleshooting command is set deviceconfig setting session
tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot)4. This command
allows non-SYN first packet through without dropping it.
The flow_tcp_non_syn_drop counter increases when the firewall receives packets with the ACK flag set,
but not the SYN flag, which indicates asymmetric traffic flow. The tcp-reject-non-syn option enables or
disables the firewall to drop non-SYN TCP packets. In this case, disabling the tcp-reject-non-syn option
using the "set deviceconfig setting session tcp-reject-non-syn no" command can help work around the
issue. This allows the firewall to accept non-SYN packets and create a session for the existing flow.

13.A user at an internal system queries the DNS server for their web server with a private IP of 10 250
241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.
In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the
firewall?

A)

7 / 92
 The safer , easier way to help you pass any IT exams.

B)

C)

D)

8 / 92
 The safer , easier way to help you pass any IT exams.

A. Option A
B. Option B
C. Option C
D. Option D
Answer: A

14.An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with
three remote networks.
What is the minimum amount of bandwidth the administrator could configure at the compute location?
A. 90Mbps
B. 300 Mbps
C. 75Mbps
D. 50Mbps
Answer: D
Explanation:
The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote
network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote
network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth
speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps
connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps on egress (50 Mbps
plus 10% overage allocation).
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-
access-for-networks/how-to-calculate-network-bandwidth

15.How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after
enabling the Advance Routing Engine run on PAN-OS 10.2?
A. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile
under Network > Virtual Router > BGP > BFD
B. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD
profile under Network > Virtual Router > BGP > General > Global BFD Profile
C. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD

9 / 92
 The safer , easier way to help you pass any IT exams.

profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
D. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile
under Network > Routing > Logical Routers > BGP > BFD
Answer: B

16.An engineer configures SSL decryption in order to have more visibility to the internal users' traffic
when it is regressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
A. High availability (HA)
B. Layer B. Layer 2
C. Virtual Wire
D. Tap
E. Layer 3
Answer: B,C,E
Explanation:
SSL Forward Proxy is a feature that allows the firewall to decrypt and inspect outbound SSL traffic from
internal users to external servers1. The firewall acts as a proxy (MITM) generating a new certificate for
the accessed URL and presenting it to the client during SSL handshake2.
SSL Forward Proxy can be configured on any interface type that supports security policies, which are
Layer 2, Virtual Wire, and Layer 3 interfaces1. These interface types allow the firewall to apply security
profiles and URL filtering on the decrypted SSL traffic.

17.Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about
grayware in any of the logs of the corresponding firewall.
Which setting can the administrator configure on the firewall to log grayware verdicts?
A. within the log forwarding profile attached to the Security policy rule
B. within the log settings option in the Device tab
C. in WildFire General Settings, select "Report Grayware Files"
D. in Threat General Settings, select "Report Grayware Files"
Answer: C

18.When an in-band data port is set up to provide access to required services, what is required for an
interface that is assigned to service routes?
A. The interface must be used for traffic to the required services
B. You must enable DoS and zone protection
C. You must set the interface to Layer 2 Layer 3. or virtual wire
D. You must use a static IP address
Answer: D
Explanation:
According to the Palo Alto Networks documentation, “To configure a service route, you must specify a
source interface and a source address. The source interface can be any data port (Ethernet interface) or
a loopback interface. The source address must be a static IP address that is configured on the source
interface.”
References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service-

10 / 92
 The safer , easier way to help you pass any IT exams.

routes/service-routes-overview

19.A network security administrator wants to configure SSL inbound inspection.

Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall?
(Choose three.)
A. An SSL/TLS Service profile
B. The web server's security certificate with the private key
C. A Decryption profile
D. A Decryption policy
E. The client's security certificate with the private key
Answer: B,C,D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-
inspection

20.During the process of developing a decryption strategy and evaluating which websites are required
for corporate users to access, several sites have been identified that cannot be decrypted due to
technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will
therefore be blocked if decrypted
How should the engineer proceed?
A. Allow the firewall to block the sites to improve the security posture
B. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
C. Install the unsupported cipher into the firewall to allow the sites to be decrypted
D. Create a Security policy to allow access to those sites
Answer: A

21.An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a
false-positive action.
How can the administrator create an exception for this particular file?
A. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.
B. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
C. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
D. Disable the WildFire profile on the related Security policy.
Answer: A

22.An administrator is configuring a Panorama device group

Which two objects are configurable? (Choose two)
A. DNS Proxy
B. Address groups
C. SSL/TLS roles
D. URL Filtering profiles
Answer: B,D
Explanation:
URL filtering is a feature in Palo Alto Networks firewalls that allows administrators to block access to

11 / 92
 The safer , easier way to help you pass any IT exams.

specific URLs [1]. This feature can be configured via four different objects: Custom URL categories in
URL Filtering profiles, PAN-DB URL categories in URL Filtering profiles, External Dynamic Lists (EDL) in
URL Filtering profiles, and Custom URL categories in Security policy rules. The evaluation order for URL
filtering is: Custom URL categories in URL Filtering profile, PAN-DB URL categories in URL Filtering
profile, EDL in URL Filtering profile, and Custom URL category in Security policy rule. This information
can be found in the Palo Alto Networks PCNSE Study Guide, which can be accessed here:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/resource-library/palo-alto-networks-
pcnse-study-guide.html.

23.Which two actions would be part of an automatic solution that would block sites with untrusted
certificates without enabling SSL Forward Proxy? (Choose two.)
A. Create a no-decrypt Decryption Policy rule.
B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
C. Create a Dynamic Address Group for untrusted sites
D. Create a Security Policy rule with vulnerability Security Profile attached.
E. Enable the “Block sessions with untrusted issuers” setting.
Answer: A,D
Explanation:
You can use the No Decryption tab to enable settings to block traffic that is matched to a decryption
policy configured with the No Decrypt action (Policies > Decryption > Action). Use these options to
control server certificates for the session, though the firewall does not decrypt and inspect the session
traffic. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/objects/objects-
decryption-profile

24.A company requires that a specific set of ciphers be used when remotely managing their Palo Alto
Networks appliances.
Which profile should be configured in order to achieve this?
A. SSH Service profile
B. SSL/TLS Service profile
C. Decryption profile
D. Certificate profile
Answer: A

25.What is a correct statement regarding administrative authentication using external services with a
local authorization method?
A. Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but access
domains have not been supported by this method.
B. Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use external
authentication services for administrative authentication.
C. The administrative accounts you define locally on the firewall serve as references to the accounts
defined on an external authentication server.
D. The administrative accounts you define on an external authentication server serve as references to
the accounts defined locally on the firewall.
Answer: B

12 / 92
 The safer , easier way to help you pass any IT exams.

26.The following objects and policies are defined in a device group hierarchy

A. Address Objects
-Shared Address1
-Shared Address2
-Branch Address1
Policies
-Shared Policy1
-Branch Policy1
B. Address Objects
-Shared Address1
-Shared Address2
-Branch Address1
-DC Address1
Policies
-Shared Policy1
-Shared Policy2
-Branch Policy1
C.
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
-Branch Policy 1
D)
Address Objects

13 / 92
 The safer , easier way to help you pass any IT exams.

-Shared Address 1
-Shared Address 2
-Branch Address 1
Policies
-Shared Policy 1
-Shared Policy 2
-Branch Policy 1
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A

27.A network security administrator has an environment with multiple forms of authentication. There is a
network access control system in place that authenticates and restricts access for wireless users,
multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of
these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
A. Syslog listener
B. agentless User-ID with redistribution
C. standalone User-ID agent
D. captive portal
Answer: C A is correct

28.A super user is tasked with creating administrator accounts for three contractors. For compliance
purposes, all three contractors will be working with different device-groups m their hierarchy to deploy
policies and objects.
Which type of role-based access is most appropriate for this project?
A. Create a Dynamic Admin with the Panorama Administrator role.
B. Create a Device Group and Template Admin.
C. Create a Custom Panorama Admin.
D. Create a Dynamic Read only superuser
Answer: C
Explanation:
A Custom Panorama Admin is a type of role-based access that allows a super user to create separate
Panorama administrator accounts for each of the three contractors. This will allow each contractor to
work with different device-groups in their hierarchy and deploy policies and objects in accordance with
the organization's compliance requirements. The Custom Panorama Admin role also allows the super
user to assign separate permissions to each contractor's account, granting them access to only the
resources they are authorized to use. This type of role-based access is the most appropriate for this
project as it will ensure that each contractor is only able to access the resources they need in order to do
their job.

29.An administrator would like to determine which action the firewall will take for a specific CVE.

14 / 92
 The safer , easier way to help you pass any IT exams.

Given the screenshot below, where should the administrator navigate to view this information?
A. The profile rule action
B. CVE column
C. Exceptions lab
D. The profile rule threat name
Answer: A C is correct

30.A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward
traffic logs to Panorama. In which section is this configured?
A. Panorama > Managed Devices
B. Monitor > Logs > Traffic
C. Device Groups > Objects > Log Forwarding
D. Templates > Device > Log Settings
Answer: C

31.How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on
a managed firewall?
A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama generates
a system log and can send email alerts
B. Panorama provides visibility into all the system and traffic logs received from firewalls it does not offer
any ability to see or monitor resource utilization on managed firewalls
C. Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts
when resource exhaustion is detected on a managed firewall
D. Panorama provides information about system resources of the managed devices in the Managed

15 / 92
 The safer , easier way to help you pass any IT exams.

Devices > Health menu

Answer: D
Explanation:
Panorama can help with troubleshooting problems such as high CPU or resource exhaustion on a
managed firewall by providing information about system resources of the managed devices in the
Managed Devices > Health menu. This is explained in the Palo Alto Networks PCNSE Study Guide in
Chapter 13: Panorama, under the section "Monitoring Managed Firewalls with Panorama":
"The Panorama web interface provides information about the system resources of the managed devices.
In the Managed Devices > Health menu, you can view the CPU, memory, and disk usage of each
managed device. This information can help you troubleshoot problems such as high CPU or resource
exhaustion on a managed firewall."

32.What is considered the best practice with regards to zone protection?

A. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from
other threat logs
C. If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
D. Set the Alarm Rate threshold for event-log messages to high severity or critical severity
Answer: C

33.An administrator needs to assign a specific DNS server to one firewall within a device group.
Where would the administrator go to edit a template variable at the device level?
A. Variable CSV export under Panorama > templates
B. PDF Export under Panorama > templates
C. Manage variables under Panorama > templates
D. Managed Devices > Device Association
Answer: C
Explanation:
To edit a template variable at the device level, you need to go to Manage variables under Panorama >
templates. This allows you to override the default value of a variable for a specific device or device
group. For example, you can assign a specific DNS server to one firewall within a device group by
editing the ${dns-primary} variable for that device.
References: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-
firewalls/manage-templates/use-template-variables.html

34.An engineer discovers the management interface is not routable to the User-ID agent
What configuration is needed to allow the firewall to communicate to the User-ID agent?
A. Create a NAT policy for the User-ID agent server
B. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP
C. Create a custom service route for the UID Agent
D. Add a static route to the virtual router
Answer: C
Explanation:
To allow the firewall to communicate with the User-ID agent, you need to configure a custom service

16 / 92
 The safer , easier way to help you pass any IT exams.

route for the UID Agent23. A custom service route allows you to specify which interface and source IP
address the firewall uses to connect to a specific destination service. By default, the firewall uses its
management interface for services such as User-ID, but you can override this behavior by creating a
custom service route.
To configure a custom service route for the UID Agent, you need to do the following steps:
✑ Go to Device > Setup > Services and click Service Route Configuration.
✑ In the Service column, select User-ID Agent from the drop-down list.
✑ In the Interface column, select an interface that can reach the User-ID agent server from the drop-
down list.
✑ In the Source Address column, select an IP address that belongs to that interface from the drop-down
list.
✑ Click OK and Commit your changes.
The correct answer is
C. Create a custom service route for UID Agent

35.An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)
A. Inherit settings from the Shared group
B. Inherit IPSec crypto profiles
C. Inherit all Security policy rules and objects
D. Inherit parent Security policy rules and objects
Answer: B,D
Explanation:
B. Inherit IPSec crypto profiles
This is correct because IPSec crypto profiles are one of the objects that can be inherited from a parent
device group1. You can also create IPSec crypto profiles for use in shared or device group policy1.
D. Inherit parent Security policy rules and objects
This is correct because Security policy rules and objects are also inheritable from a parent device
group1. You can also create Security policy rules and objects for use in shared or device group policy1.

36.An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session
DoS attacks Which sessions does Packet Buffer Protection apply to?
A. It applies to existing sessions and is not global
B. It applies to new sessions and is global
C. It applies to new sessions and is not global
D. It applies to existing sessions and is global
Answer: D

37.Which log type will help the engineer verify whether packet buffer protection was activated?
A. Data Filtering
B. Configuration
C. Threat
D. Traffic
Answer: C

17 / 92
 The safer , easier way to help you pass any IT exams.

Explanation:
The log type that will help the engineer verify whether packet buffer protection was activated is Threat
Logs. Threat Logs are logs generated by the Palo Alto Networks firewall when it detects a malicious
activity on the network. These logs contain information about the source, destination, and type of threat
detected. They also contain information about the packet buffer protection that was activated in response
to the detected threat. This information can help the engineer verify that packet buffer protection was
activated and determine which actions were taken in response to the detected threat.

38.What steps should a user take to increase the NAT oversubscription rate from the default platform
setting?
A. Navigate to Device > Setup > TCP Settings > NAT Oversubscription Rate
B. Navigate to Policies > NAT > Destination Address Translation > Dynamic IP (with session distribution)
C. Navigate to Policies > NAT > Source Address Translation > Dynamic IP (with session distribution)
D. Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate
Answer: D
Explanation:
NAT oversubscription is a feature that allows you to reuse a translated IP address and port for multiple
source devices. This can help you conserve public IP addresses and increase the number of sessions
that can be translated by a NAT rule.

39.Which configuration is backed up using the Scheduled Config Export feature in Panorama?
A. Panorama running configuration
B. Panorama candidate configuration
C. Panorama candidate configuration and candidate configuration of all managed devices
D. Panorama running configuration and running configuration of all managed devices
Answer: D

40.Which two statements correctly describe Session 380280? (Choose two.)

18 / 92
 The safer , easier way to help you pass any IT exams.

A. The session went through SSL decryption processing.

B. The session has ended with the end-reason unknown.
C. The application has been identified as web-browsing.
D. The session did not go through SSL decryption processing.
Answer: A,C

41.When using SSH keys for CLI authentication for firewall administration, which method is used for
authorization?
A. Local
B. LDAP
C. Kerberos
D. Radius
Answer: A
Explanation:
When using SSH keys for CLI authentication for firewall administration, the method used for
authorization is local. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 4:
Authentication and Authorization, under the section "CLI Authentication with SSH Keys":
"SSH keys use public key cryptography to authenticate users, but they do not provide a mechanism for
authorization. Therefore, when using SSH keys for CLI authentication, authorization is always performed

19 / 92
 The safer , easier way to help you pass any IT exams.

locally on the firewall."

42.A network administrator wants to deploy SSL Forward Proxy decryption.

What two attributes should a forward trust certificate have? (Choose two.)
A. A subject alternative name
B. A private key
C. A server certificate
D. A certificate authority (CA) certificate
Answer: A,C
Explanation:
When deploying SSL Forward Proxy decryption, a forward trust certificate must have a subject
alternative name (SAN) and be a server certificate. SAN is an extension to the X.509 standard that
allows multiple domain names to be protected by a single SSL/TLS certificate. It is used to identify the
domain names or IP addresses that the certificate should be valid for. A private key is also required but it
is not mentioned in the options. A certificate authority (CA) certificate is not required as the forward trust
certificate itself is a CA certificate.

43.After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a
commit/push is successful without duplicating local configurations?
A. Ensure Force Template Values is checked when pushing configuration.
B. Push the Template first, then push Device Group to the newly managed firewal.
C. Perform the Export or push Device Config Bundle to the newly managed firewall.
D. Push the Device Group first, then push Template to the newly managed firewall
Answer: C
Explanation:
When importing a pre-configured firewall configuration to Panorama, you need to perform the following
steps12:
✑ Add the serial number of the firewall under Panorama > Managed Devices
✑ In Panorama, import the firewall’s configuration bundle under Panorama > Setup > Operations >
Import device configuration to Panorama
✑ Make changes to the imported firewall configuration within Panorama
✑ Commit the changes you made to Panorama
✑ Perform an Export or push Device Config Bundle operation under Panorama > Setup > Operations
The Export or push Device Config Bundle operation allows you to push a complete configuration bundle
from Panorama to a managed firewall without duplicating local configurations3. This operation ensures
that any local settings on the firewall are preserved and merged with the settings from Panorama.

44.Four configuration choices are listed, and each could be used to block access to a specific URL
II you configured each choice to block the same URL, then which choice would be evaluated last in the
processing order to block access to the URL1?
A. PAN-DB URL category in URL Filtering profile
B. Custom URL category in Security policy rule
C. Custom URL category in URL Filtering profile
D. EDL in URL Filtering profile

20 / 92
 The safer , easier way to help you pass any IT exams.

Answer: A

45.In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose
two.)
A. wildcard server certificate
B. enterprise CA certificate
C. client certificate
D. server certificate
E. self-signed CA certificate
Answer: B,E
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-
proxy.html

46.Given the screenshot, how did the firewall handle the traffic?

21 / 92
 The safer , easier way to help you pass any IT exams.

A. Traffic was allowed by profile but denied by policy as a threat

B. Traffic was allowed by policy but denied by profile as..
C. Traffic was allowed by policy but denied by profile as ..
D. Traffic was allowed by policy but denied by profile as a..
Answer: D Traffic was allowed by policy but denied by profile as a threat.

47.A firewall has Security policies from three sources

1. locally created policies
2. shared device group policies as pre-rules
3. the firewall's device group as post-rules
How will the rule order populate once pushed to the firewall?
A. shared device group policies, firewall device group policies. local policies.
B. firewall device group policies, local policies. shared device group policies

22 / 92
 The safer , easier way to help you pass any IT exams.

C. shared device group policies. local policies, firewall device group policies
D. local policies, firewall device group policies, shared device group policies
Answer: C

48.Which three use cases are valid reasons for requiring an Active/Active high availability deployment?
(Choose three.)
A. The environment requires real, full-time redundancy from both firewalls at all times
B. The environment requires Layer 2 interfaces in the deployment
C. The environment requires that both firewalls maintain their own routing tables for faster dynamic
routing protocol convergence
D. The environment requires that all configuration must be fully synchronized between both members of
the HA pair
E. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic
spikes
Answer: B,C,D A, C, E

49.An existing NGFW customer requires direct interne! access offload locally at each site and iPSec
connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be
introduced to the environment.
What is the best solution for the customer?
A. Configure a remote network on PAN-OS
B. Upgrade to a PAN-OS SD-WAN subscription
C. Deploy Prisma SD-WAN with Prisma Access
D. Configure policy-based forwarding
Answer: B
Explanation:
According to the Palo Alto Networks documentation, “The PAN-OS software now includes a native SD-
WAN subscription to provide intelligent and dynamic path selection on top of the industry-leading security
that PAN-OS software already delivers.
Key features of the SD-WAN implementation include centralized configuration management, automatic
VPN topology creation, traffic distribution, monitoring, and troubleshooting.”
References: https://docs.paloaltonetworks.com/sd-wan

50.A firewall has been assigned to a new template stack that contains both "Global" and "Local"
templates in Panorama, and a successful commit and push has been performed. While validating the
configuration on the local firewall, the engineer discovers that some settings are not being applied as
intended.
The setting values from the "Global" template are applied to the firewall instead of the "Local" template
that has different values for the same settings.
What should be done to ensure that the settings in the "Local" template are applied while maintaining
settings from both templates?
A. Move the "Global" template above the "Local" template in the template stack.
B. Perform a commit and push with the "Force Template Values" option selected.
C. Move the "Local" template above the "Global" template in the template stack.

23 / 92
 The safer , easier way to help you pass any IT exams.

D. Override the values on the local firewall and apply the correct settings for each value.
Answer: C

51.Which log type would provide information about traffic blocked by a Zone Protection profile?
A. Data Filtering
B. IP-Tag
C. Traffic
D. Threat
Answer: D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clm9CAC
Zone Protection profile is a set of security policies that you can apply to an interface or zone to protect it
from reconnaissance, flooding, brute force, and other types of attacks. The log type that would provide
information about traffic blocked by a Zone Protection profile is Threat4. This log type records events
such as packet-based attacks, spyware, viruses, vulnerability exploits, and URL filtering.

52.What is the dependency for users to access services that require authentication?
A. An Authentication profile that includes those services
B. Disabling the authentication timeout
C. An authentication sequence that includes those services
D. A Security policy allowing users to access those services
Answer: D

53.An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between
peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in
Panorama.
Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A. Export the log database.
B. Use the import option to pull logs.
C. Use the ACC to consolidate the logs.
D. Use the scp logdb export command.
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-
import-and-export-files/export-and-import-a-complete-log-database-logdb

54.During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN
connection to the corporate network before logging in to their new Windows 10 endpoints.
The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the
Connect Before Logon feature to solve this issue.
What must be configured to enable the Connect Before Logon feature?
A. The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.
B. Registry keys on the Windows system.
C. X-Auth Support in the GlobalProtect Gateway Tunnel Settings.

24 / 92
 The safer , easier way to help you pass any IT exams.

D. The Certificate profile in the GlobalProtect Portal Authentication Settings.

Answer: D B

55.A network security engineer has applied a File Blocking profile to a rule with the action of Block. The
user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked
by the firewall when trying to download a TAR file. The user is getting no error response on the system.
Where is the best place to validate if the firewall is blocking the user's TAR file?
A. URL Filtering log
B. Data Filtering log
C. Threat log
D. WildFire Submissions log
Answer: B

56.Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination
domain, and application?
A. No Direct Access to local networks
B. Tunnel mode
C. iPSec mode
D. Satellite mode
Answer: B
Explanation:
To enable split-tunneling by access route, destination domain, and application, you need to configure a
split tunnel based on the domain and application on your GlobalProtect gateway2. This allows you to
specify which domains and applications are included or excluded from the VPN tunnel.

57.An administrator has 750 firewalls. The administrator's central-management Panorama instance
deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from
Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the
configuration does not appear, what is the root cause?
A. Panorama does not have valid licenses to push the dynamic updates.
B. Panorama has no connection to Palo Alto Networks update servers.
C. No service route is configured on the firewalls to Palo Alto Networks update servers.
D. Locally-defined dynamic update settings take precedence over the settings that
Panorama pushed.
Answer: D

58.An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie
firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?
A. Goto Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for
heartbeat backup
B. Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management
Interface Settings

25 / 92
 The safer , easier way to help you pass any IT exams.

C. Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup
under Election Settings
D. Check peer IP address for heartbeat backup to Device > High Availability > HA
Communications > Packet Forwarding settings.
Answer: B
Explanation:
If the HA status is showing as down after enabling HA Heartbeat Backup on two devices, an
administrator could troubleshoot the issue by checking the peer IP address in the permit list in Device >
Setup > Management > Interfaces > Management Interface Settings. This is described in the Palo Alto
Networks PCNSE Study Guide in Chapter 7: High Availability, under the section "Configure Heartbeat
Backup for Redundancy":
"Verify that the management interface's permitted IP addresses on each peer includes the IP address of
the other peer's Heartbeat Backup interface."

59.Which three actions can Panorama perform when deploying PAN-OS images to its managed
devices? (Choose three.)
A. upload-only
B. upload and install and reboot
C. verify and install
D. upload and install
E. install and reboot
Answer: C,D,E The correct answer is A, B and E

60.A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The
security team has already configured all firewalls with the Panorama IP address and added all the
firewall serial numbers in Panorama.
What are the next steps to migrate configuration from the firewalls to Panorama?
A. Use API calls to retrieve the configuration directly from the managed devices
B. Export Named Configuration Snapshot on each firewall followed by Import Named Configuration
Snapshot in Panorama
C. import Device Configuration to Panorama followed by Export or Push Device Config Bundle
D. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices
Answer: C

61.What are two best practices for incorporating new and modified App-IDs? (Choose two.)
A. Run the latest PAN-OS version in a supported release tree to have the best performance for the new
App-IDs
B. Configure a security policy rule to allow new App-IDs that might have network-wide impact
C. Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs
D. Study the release notes and install new App-IDs if they are determined to have low impact
Answer: B,D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-
content-releases/app-id-updates-workflow.html

26 / 92
 The safer , easier way to help you pass any IT exams.

62.An engineer needs to permit XML API access to a firewall for automation on a network segment that
is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network
segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this
request?
A. Specify the subinterface as a management interface in Setup > Device > Interfaces.
B. Enable HTTPS in an Interface Management profile on the subinterface.
C. Add the network segment's IP range to the Permitted IP Addresses list
D. Configure a service route for HTTP to use the subinterface
Answer: B

63.Which profile generates a packet threat type found in threat logs?

A. Zone Protection
B. WildFire
C. Anti-Spyware
D. Antivirus
Answer: A

64.An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS
11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose
two.)
A. No client configuration is required for explicit proxy, which simplifies the deployment complexity.
B. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of
the proxy.
C. Explicit proxy supports interception of traffic using non-standard HTTPS ports.
D. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the
outgoing request
Answer: B,C
Explanation:
B. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of
the proxy12. This means that the client can see the proxy’s IP address and port number, and can use
tools like ping or traceroute to check connectivity and latency issues. Transparent proxies are invisible to
the client browser, which makes it harder to diagnose problems.
C. Explicit proxy supports interception of traffic using non-standard HTTPS ports3. This means that the
proxy can handle HTTPS requests that use ports other than 443, which may be required by some
applications or websites. Transparent proxies can only intercept HTTPS traffic on port 443, which limits
their functionality.

65.DRAG DROP
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing
protocols, and the engineer is trying to determine routing priority Match the default Administrative
Distances for each routing protocol.

27 / 92
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
✑ Static
—Range is 10-240; default is 10.
✑ OSPF Internal —Range is 10-240; default is 30.
✑ OSPF External
—Range is 10-240; default is 110.
✑ IBGP
—Range is 10-240; default is 200.
✑ EBGP
—Range is 10-240; default is 20.
✑ RIP
—Range is 10-240; default is 120.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/virtual-routers

66.A network administrator is trying to prevent domain username and password submissions to phishing
sites on some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential

28 / 92
 The safer , easier way to help you pass any IT exams.

phishing on the firewall?

A. Choose the URL categories on Site Access column and set action to block Click the User credential
Detection tab and select IP User Mapping Commit
B. Choose the URL categories in the User Credential Submission column and set action to block Select
the User credential Detection tab and select use IP User Mapping Commit
C. Choose the URL categories in the User Credential Submission column and set action to block Select
the URL filtering settings and enable Domain Credential Filter Commit
D. Choose the URL categories in the User Credential Submission column and set action to block Select
the User credential Detection tab and select Use Domain Credential Filter Commit
Answer: D
Explanation:
credential phishing prevention works by scanning username and password submissions to websites and
comparing those submissions to known corporate credentials. You can configure solutions that detect
and prevent credential phishing using URL filtering profiles and User-ID agents.

67.A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the
neighbor is correct, but the route is not in the neighbor's routing table.
Which two configurations should you check on the firewall? (Choose two.)
A. In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export
Rules section.
B. Within the redistribution profile ensure that Redist is selected.
C. Ensure that the OSPF neighbor state Is "2-Way."
D. In the redistribution profile check that the source type is set to "ospf."
Answer: A,B

68.An engineer needs to redistribute User-ID mappings from multiple data centers.
Which data flow best describes redistribution of user mappings?
A. Domain Controller to User-ID agent
B. User-ID agent to Panorama
C. User-ID agent to firewall
D. firewall to firewall
Answer: D

69.What can be used to create dynamic address groups?

A. dynamic address
B. region objects
C. tags
D. FODN addresses
Answer: C

70.An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet
gateway and wants to be sure of the functions that are supported on the vwire interface
What are three supported functions on the VWire interface? (Choose three)
A. NAT

29 / 92
 The safer , easier way to help you pass any IT exams.

B. QoS
C. IPSec
D. OSPF
E. SSL Decryption
Answer: A,B,E
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-
interfaces
"The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to
supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and
active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS
protection, packet buffer protection, tunnel content inspection, and NAT."

71.In an existing deployment, an administrator with numerous firewalls and Panorama does not see any
WildFire logs in Panorama. Each firewall has an active WildFire subscription On each firewall. WildFire
togs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is
missing?
A. Threat logs
B. Traffic togs
C. System logs
D. WildFire logs
Answer: D Answer is A
Explanation:
When an administrator has numerous firewalls and Panorama, WildFire logs need to be forwarded from
the firewalls to Panorama in order for them to be visible in Panorama. WildFire logs contain information
about malicious files that have been detected by WildFire and provide detailed information such as the
file's hash value, severity, and other attributes. This information can then be used to help identify threats
and take appropriate security measures. Proper configuration of forwarding WildFire logs is essential for
monitoring malicious activity and ensuring the security of the network.

72.An administrator wants to grant read-only access to all firewall settings, except administrator
accounts, to a new-hire colleague in the IT department.
Which dynamic role does the administrator assign to the new-hire colleague?
A. Device administrator (read-only)
B. System administrator (read-only)
C. Firewall administrator (read-only)
D. Superuser (read-only)
Answer: A

73.WildFire will submit for analysis blocked files that match which profile settings?
A. files matching Anti-Spyware signatures
B. files that are blocked by URL filtering
C. files that are blocked by a File Blocking profile

30 / 92
 The safer , easier way to help you pass any IT exams.

D. files matching Anti-Virus signatures

Answer: C

74.What is a key step in implementing WildFire best practices?

A. In a mission-critical network, increase the WildFire size limits to the maximum value.
B. Configure the firewall to retrieve content updates every minute.
C. In a security-first network, set the WildFire size limits to the minimum value.
D. Ensure that a Threat Prevention subscription is active.
Answer: D

75.While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application
column What best explains these occurrences?
A. A handshake took place, but no data packets were sent prior to the timeout.
B. A handshake took place; however, there were not enough packets to identify the application.
C. A handshake did take place, but the application could not be identified.
D. A handshake did not take place, and the application could not be identified.
Answer: C

76.A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial
configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash
drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg
txt. The firewall is currently running PAN-OS 10.0 and using a lab config.
The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted
using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping
process. The failure is caused because
A. Firewall must be in factory default state or have all private data deleted for bootstrapping
B. The hostname is a required parameter, but it is missing in init-cfg txt

31 / 92
 The safer , easier way to help you pass any IT exams.

C. The USB must be formatted using the ext3 file system, FAT32 is not supported
D. PANOS version must be 91.x at a minimum but the firewall is running 10.0.x
E. The bootstrap.xml file is a required file but it is missing
Answer: C A is correct answer
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/bootstrap-the-
firewall/bootstrap-a-firewall-using-a-usb-flash-drive.html#id8378007f-d6e5-4f2d-84a4-5d50b0b3ad7d

77.An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer
uses a forward trust certificate from the enterprise PKI that expires December 31, 2025.
The validity date on the PA-generated certificate is taken from what?
A. The trusted certificate
B. The server certificate
C. The untrusted certificate
D. The root CA
Answer: B

78.A company is deploying User-ID in their network. The firewall learn needs to have the ability to see
and choose from a list of usernames and user groups directly inside the Panorama policies when
creating new security rules
How can this be achieved?
A. By configuring Data Redistribution Client in Panorama > Data Redistribution
B. By configuring User-ID source device in Panorama > Managed Devices
C. By configuring User-ID group mapping in Panorama > User Identification
D. By configuring Master Device in Panorama > Device Groups
Answer: C
Explanation:
User-ID group mapping is a feature that allows Panorama to retrieve user and group information from
directory services such as LDAP or Active Directory1. This information can be used to enforce security
policies based on user identity and group membership.
To configure User-ID group mapping on Panorama, you need to perform the following steps1:
✑ Select Panorama > User Identification > Group Mapping Settings
✑ Click Add and enter a name for the server profile
✑ Select a Server Type (LDAP or Active Directory)
✑ Click Add and enter the server details (IP address, port number, etc.)
✑ Click OK
✑ Select Group Include List and click Add
✑ Select the groups that you want to include in the group mapping
✑ Click OK
✑ Commit your changes
By configuring User-ID group mapping on Panorama, you can see and choose from a list of usernames
and user groups directly inside the Panorama policies when creating new security rules2.

79.An administrator is attempting to create policies for deployment of a device group and template stack.

32 / 92
 The safer , easier way to help you pass any IT exams.

When creating the policies, the zone drop-down list does not include the required zone.
What can the administrator do to correct this issue?
A. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings.
B. Add a firewall to both the device group and the template.
C. Specify the target device as the master device in the device group.
D. Add the template as a reference template in the device group.
Answer: D
Explanation:
In order to see what is in a template, the device-group needs the template referenced. Even if you add
the firewall to both the template and device-group, the device-
group will not see what is in the template.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

80.When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are
available? (Choose three)
A. user-logon (always on)
B. pre-logon then on-demand
C. on-demand (manual user initiated connection)
D. post-logon (always on)
E. certificate-logon
Answer: A,B,C
Explanation:
The Method section of the GlobalProtect portal configuration allows you to specify how users connect to
the portal.
The options are:
✑ user-logon (always on): The agent connects to the portal as soon as the user logs in to the endpoint.
✑ pre-logon then on-demand: The agent connects to the portal before the user logs in to the endpoint
and then switches to on-demand mode after the user logs in.
✑ on-demand (manual user initiated connection): The agent connects to the portal only when the user
initiates the connection manually.
References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/globalprotect/configure-the-
globalprotect-portal/configure-the-agent/configure-the-app-tab.html

81.Refer to the exhibit.

33 / 92
 The safer , easier way to help you pass any IT exams.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down
Blocked User Activity, and locate the user(s) that could be compromised by a botnet?
A. Click the hyperlink for the Zero Access.Gen threat.
B. Click the left arrow beside the Zero Access.Gen threat.
C. Click the source user with the highest threat count.
D. Click the hyperlink for the hotport threat Category.
Answer: B

82.The same route appears in the routing table three times using three different protocols
Which mechanism determines how the firewall chooses which route to use?
A. Administrative distance
B. Round Robin load balancing
C. Order in the routing table
D. Metric
Answer: A
Explanation:
Administrative distance is the measure of trustworthiness of a routing protocol. It is used to determine
the best path when multiple routes to the same destination exist. The route with the lowest administrative
distance is chosen as the best route.
When the same route appears in the routing table three times using three different protocols, the
mechanism that determines which route the firewall chooses to use is the administrative distance. This is
explained in the Palo Alto Networks PCNSE Study Guide in Chapter 6: Routing, under the section
"Route Selection":
"Administrative distance is a value assigned to each protocol that the firewall uses to determine which

34 / 92
 The safer , easier way to help you pass any IT exams.

route to use if multiple protocols provide routes to the same destination. The route with the lowest
administrative distance is preferred."

83.An engineer is configuring SSL Inbound Inspection for public access to a company's application.
Which certificate(s) need to be installed on the firewall to ensure that inspection is performed
successfully?
A. Self-signed CA and End-entity certificate
B. Root CA and Intermediate CA(s)
C. Self-signed certificate with exportable private key
D. Intermediate CA (s) and End-entity certificate
Answer: D

84.An administrator creates an application-based security policy rule and commits the change to the
firewall.
Which two methods should be used to identify the dependent applications for the respective rule?
(Choose two.)
A. Use the show predefined xpath <value> command and review the output.
B. Review the App Dependency application list from the Commit Status view.
C. Open the security policy rule and review the Depends On application list.
D. Reference another application group containing similar applications.
Answer: A,B correct answer is B, C

85.DRAG DROP
Match each GlobalProtect component to the purpose of that component

Answer:

35 / 92
 The safer , easier way to help you pass any IT exams.

Explanation:
The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure
The GlobalProtect gateways provide security enforcement for traffic from GlobalProtect apps
The GlobalProtect app software runs on endpoints and enables access to your network resources

86.A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing
out of the internet edge firewall.
Which certificate is the best choice to configure as an SSL Forward Trust certificate?
A. A self-signed Certificate Authority certificate generated by the firewall
B. A Machine Certificate for the firewall signed by the organization's PKI
C. A web server certificate signed by the organization's PKI
D. A subordinate Certificate Authority certificate signed by the organization's PKI
Answer: A

87.What best describes the HA Promotion Hold Time?

A. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring
devices
B. the time that is recommended to avoid a failover when both firewalls experience the same link/path
monitor failure simultaneously
C. the time that the passive firewall will wait before taking over as the active firewall after
communications with the HA peer have been lost
D. the time that a passive firewall with a low device priority will wait before taking over as the active
firewall if the firewall is operational again
Answer: C
Explanation:
HA Promotion Hold Time is the time that the passive firewall will wait before taking over as the active
firewall after communications with the HA peer have been lost 2.
References: 2: PAN-OS ® New Features Guide

88.An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been
configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display
the same MAC address being shared for some of these firewalls.

36 / 92
 The safer , easier way to help you pass any IT exams.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in
conflict?
A. Configure a floating IP between the firewall pairs.
B. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the
same subnet.
C. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
D. On one pair of firewalls, run the CLI command: set network interface vlan arp.
Answer: B
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCA S
change the Group IDs in the High Availability settings to be different from the other firewall pair on the
same subnet. This will prevent the MAC addresses from conflicting and allow the firewalls to properly
route traffic. You can also configure a floating IP between the firewall pairs if necessary.

89.An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?
A. Use the same Forward Trust certificate on all firewalls in the network.
B. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.
C. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
D. Use an enterprise CA-signed certificate for the Forward Untrust certificate.
Answer: C

90.A firewall administrator notices that many Host Sweep scan attacks are being allowed through the
firewall sourced from the outside zone.
What should the firewall administrator do to mitigate this type of attack?
A. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing
traffic from the outside zone
B. Enable packet buffer protection in the outside zone.
C. Create a Security rule to deny all ICMP traffic from the outside zone.
D. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it
to the outside zone.
Answer: D

91.An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services
for a specific LDAP user group.
What needs to be configured to ensure Panorama can retrieve user and group information for use in
these rules?
A. A service route to the LDAP server
B. A Master Device
C. Authentication Portal
D. A User-ID agent on the LDAP server
Answer: A B is correct answer
Explanation:
To configure LDAP authentication on Panorama, you need to23:

37 / 92
 The safer , easier way to help you pass any IT exams.

✑ Define an LDAP server profile that specifies the connection details and credentials for accessing the
LDAP server.
✑ Define an authentication profile that references the LDAP server profile and defines how users
authenticate to Panorama (such as username format and password expiration).
✑ Define an authentication sequence (optional) that allows users to authenticate using multiple methods
(such as local database, LDAP, RADIUS, etc.).
✑ Assign the authentication profile or sequence to a Panorama administrator role or a device group role.

92.What can an engineer use with GlobalProtect to distribute user-specific client certificates to each
GlobalProtect user?
A. Certificate profile
B. SSL/TLS Service profile
C. OCSP Responder
D. SCEP
Answer: D

93.Which configuration task is best for reducing load on the management plane?
A. Disable logging on the default deny rule
B. Enable session logging at start
C. Disable pre-defined reports
D. Set the URL filtering action to send alerts
Answer: C
Explanation:
Report generation can also consume considerable resources, while some pre-defined reports may not
be useful to the organization, or they've been replaced by a custom report.
These pre-defined reports can be disabled from Device > Setup > Logging and Reporting Settings
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

94.A network engineer is troubleshooting a VPN and wants to verify whether the
decapsulation/encapsulation counters are increasing.
Which CLI command should the engineer run?
A. Show vpn tunnel name | match encap
B. Show vpn flow name <tunnel name>
C. Show running tunnel flow lookup
D. Show vpn ipsec-sa tunnel <tunnel name>
Answer: B

95.You have upgraded your Panorama and Log Collectors lo 10.2 x. Before upgrading your firewalls
using Panorama, what do you need do?
A. Refresh your licenses with Palo Alto Network Support - Panorama/Licenses/Retrieve License Keys
from License Server.
B. Re-associate the firewalls in Panorama/Managed Devices/Summary.
C. Commit and Push the configurations to the firewalls.
D. Refresh the Mastor Key in Panorama/Master Key and Diagnostic

38 / 92
 The safer , easier way to help you pass any IT exams.

Answer: C

96.A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise
certificate authorities (Cas)
i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the
trusted store of the end-user browser and system)
ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate
iii. Enterprise-lntermediate-CA
iv. Enterprise-Root-CA which is verified only as Trusted Root CA
An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www
example-website com The firewall does the SSL Forward Proxy decryption for the website and the
server certificate is not trusted by the firewall
The end-user's browser will show that the certificate for www.example-website.com was issued by which
of the following?
A. Enterprise-Untrusted-CA which is a self-signed CA
B. Enterprise-Trusted-CA which is a self-signed CA
C. Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA
D. Enterprise-Root-CA which is a self-signed CA
Answer: B The correct answer is A

97.An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason
for a session failover for a session that has already ended
Where would you find this in Panorama or firewall logs?
A. Traffic Logs
B. System Logs
C. Session Browser
D. You cannot find failover details on closed sessions
Answer: A
Explanation:
https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/configure-sd-wan/sd-wan-traffic-
distribution-profiles

98.Refer to the image.

39 / 92
 The safer , easier way to help you pass any IT exams.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the
Global template NTP servers. The administrator needs to change the IP address to a preferable server
for this template stack but cannot impact other template stacks.
How can the issue be corrected?
A. Override the value on the NYCFW template.
B. Override a template value using a template stack variable.
C. Override the value on the Global template.
D. Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
Answer: B
Explanation:
Both templates and template stacks support variables. Variables allow you to create placeholder objects
with their value specified in the template or template stack based on your configuration needs. Create a
template or template stack variable to replace IP addresses, Group IDs, and interfaces in your
configurations. https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-
firewalls/manage-templates-and-template-stacks/override-a-template-setting.html

99.What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?
A. Phase 1 and Phase 2 SAs are synchronized over HA3 links.
B. Phase 1 SAs are synchronized over HA1 links.
C. Phase 2 SAs are synchronized over HA2 links.
D. Phase 1 and Phase 2 SAs are synchronized over HA2 links.
Answer: C

100.A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)
A. Windows User-ID agent
B. GlobalProtect
C. XMLAPI
D. External dynamic list
E. Dynamic user groups

40 / 92
 The safer , easier way to help you pass any IT exams.

Answer: A,B,C
Explanation:
User-ID is a feature that enables the firewall to identify users and groups based on their IP addresses,
usernames, or other attributes.
There are three valid methods of collecting User-ID information in a network:
✑ Windows User-ID agent: This is a software agent that runs on a Windows server
and collects user mapping information from Active Directory, Exchange servers, or other sources.
✑ GlobalProtect: This is a VPN solution that provides secure remote access for users and devices. It
also collects user mapping information from endpoints that connect to the firewall using GlobalProtect.
✑ XMLAPI: This is an application programming interface that allows third-party applications or scripts to
send user mapping information to the firewall using XML format.

101.An administrator has a PA-820 firewall with an active Threat Prevention subscription. The
administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?
A. Protection against unknown malware can be provided in near real-time
B. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
C. After 24 hours WildFire signatures are included in the antivirus update
D. WildFire and Threat Prevention combine to minimize the attack surface
Answer: A
Explanation:
Adding a WildFire subscription can improve the security posture of the organization by providing
protection against unknown malware in near real-time. With a WildFire subscription, the firewall can
forward various file types for WildFire analysis, and can retrieve WildFire signatures for newly-discovered
malware as soon as they are generated by the WildFire public cloud or a private cloud appliance. This
reduces the exposure window and prevents further infection by the same malware.
References: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-
subscription

102.An administrator is required to create an application-based Security policy rule to allow Evernote.
The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
A. Add the Evernote application to the Security policy rule, then add a second Security policy rule
containing both HTTP and SSL.
B. Add the HTTP, SSL, and Evernote applications to the same Security policy
C. Add only the Evernote application to the Security policy rule.
D. Create an Application Override using TCP ports 443 and 80.
Answer: C

103.An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with
Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of
500ms and a Ping count of 3.
Which scenario will cause the Active firewall to fail over?

41 / 92
 The safer , easier way to help you pass any IT exams.

A. IP address 8.8.8.8 is unreachable for 1 second.

B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
C. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
D. IP address 4.2.2.2 is unreachable for 2 seconds.
Answer: C

104.An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy
between the firewall and switch.
Which statement is correct about the configuration of the interfaces assigned to an aggregate interface
group?
A. They can have a different bandwidth.
B. They can have a different interface type such as Layer 3 or Layer 2.
C. They can have a different interface type from an aggregate interface group.
D. They can have different hardware media such as the ability to mix fiber optic and copper.
Answer: C D is correct

105.A network security engineer must implement Quality of Service policies to ensure specific levels of
delivery guarantees for various applications in the environment They want to ensure that they know as
much as they can about QoS before deploying.
Which statement about the QoS feature is correct?
A. QoS is only supported on firewalls that have a single virtual system configured
B. QoS can be used in conjunction with SSL decryption
C. QoS is only supported on hardware firewalls
D. QoS can be used on firewalls with multiple virtual systems configured
Answer: D
Explanation:
The correct answer is D - QoS can be used on firewalls with multiple virtual systems configured. QoS is
a feature that enables network administrators to prioritize and manage network traffic to ensure that
critical applications receive the necessary bandwidth and quality of service. This feature can be used on
firewalls with multiple virtual systems, allowing administrators to configure policies on a per-Virtual
System basis. Additionally, QoS can be used in conjunction with SSL decryption to ensure that
applications running over SSL receive appropriate treatment.

106.A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?
A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-
intensive decryption methods for lower-risk traffic
B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-
intensive decryption methods for tower-risk traffic
C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-
intensive
D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers
Answer: C B is correct answer
Explanation:

42 / 92
 The safer , easier way to help you pass any IT exams.

According to the Palo Alto Networks documentation, “Decryption Profiles define the cipher suite settings
the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. You can also
use Decryption Profiles to downgrade processor-intensive ciphers to ciphers that are less processor-
intensive.”
References:
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-
practices/data-center-decryption-profile.html

107.An engineer is tasked with configuring a Zone Protection profile on the untrust zone.
Which three settings can be configured on a Zone Protection profile? (Choose three.)
A. Ethernet SGT Protection
B. Protocol Protection
C. DoS Protection
D. Reconnaissance Protection
E. Resource Protection
Answer: B,C,D
Explanation:
B. Protocol Protection: Protocol protection is used to limit or block traffic that uses certain protocols or
application functions. For example, a Zone Protection profile can be configured to block traffic that uses
non-standard protocols, such as IP-in-IP, or to limit the number of concurrent sessions for certain
protocols, such as SIP.
C. DoS Protection: DoS protection is used to protect against various types of denial-of-service (DoS)
attacks, such as SYN floods, UDP floods, ICMP floods, and others. A Zone Protection profile can be
configured to limit the rate of traffic for certain protocols or to drop traffic that matches specific patterns,
such as malformed packets or packets with invalid headers.
D. Reconnaissance Protection: Reconnaissance protection is used to prevent attackers from gathering
information about the network, such as by using port scans or other techniques. A Zone Protection profile
can be configured to limit the rate of traffic for certain types of reconnaissance, such as port scans or OS
fingerprinting, or to drop traffic that matches specific patterns, such as packets with invalid flags or
payloads.

108.A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between
peers.
Where can the administrator find the corresponding logs after running a test command to initiate the
VPN?
A. Configuration logs
B. System logs
C. Traffic logs
D. Tunnel Inspection logs
Answer: B
Explanation:
According to the Palo Alto Networks documentation, “To view IKE and IPSec Crypto profiles in the logs,
filter the System log for eventid equal to vpn (Monitor > Logs > System).”
References: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpn/set-up-site-to-site-

43 / 92
 The safer , easier way to help you pass any IT exams.

vpn/set-up-ike-crypto-profiles.html

109.A network administrator plans a Prisma Access deployment with three service connections, each
with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and
management overhead on on-prem network devices.
What should the administrator implement?
A. target service connection for traffic steering
B. summarized BGP routes before advertising
C. hot potato routing
D. default routing
Answer: C D is correct answer

110.An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task?
(Choose two.)
A. System Logs
B. Task Manager
C. Traffic Logs
D. Configuration Logs
Answer: A,B
Explanation:
A. System Logs: The system logs contain information about various events that occur on the firewall,
including the commit process. The administrator can review the system logs to verify whether the commit
completed successfully or whether there were any errors or warnings during the commit process.
B. Task Manager: The task manager displays a list of all active tasks on the firewall, including the commit
task. The administrator can use the task manager to check the status of the commit task, including
whether it is in progress, completed successfully, or failed.

111.An engineer is bootstrapping a VM-Series Firewall Other than the 'config folder, which three
directories are mandatory as part of the bootstrap package directory structure? (Choose three.)
A. /software
B. /opt
C. /license
D. /content
E. /plugins
Answer: A,D A,C,D is correct answer

112.A network administrator wants to use a certificate for the SSL/TLS Service Profile.
Which type of certificate should the administrator use?
A. certificate authority (CA) certificate
B. client certificate
C. machine certificate
D. server certificate
Answer: D

44 / 92
 The safer , easier way to help you pass any IT exams.

Explanation:
Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-
ssltls-service-profile.html
A server certificate is used for the SSL/TLS Service Profile. The server certificate identifies the firewall to
clients that initiate SSL/TLS connections to it.
References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-
management/certificates-and-keys/server-certificates

113.Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?
A. signature matching for content inspection
B. IPSec tunnel standup
C. Quality of Service
D. logging
Answer: D

114.A firewall administrator wants to avoid overflowing the company syslog server with traffic logs.
What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?
A. Disable logging on security rules allowing DNS.
B. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match
list, create a new filter with application not equal to DNS.
C. Create a security rule to deny DNS traffic with the syslog server in the destination
D. Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match
list, create a new filter with application equal to DNS.
Answer: D

115.A company is using wireless controllers to authenticate users.

Which source should be used for User-ID mappings?
A. Syslog
B. XFF headers
C. server monitoring
D. client probing
Answer: A

116.How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
A. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and
reboot.
B. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.
C. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and
reboot.
D. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and
reboot
Answer: C
Explanation:

45 / 92
 The safer , easier way to help you pass any IT exams.

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and
reboot1. This means that the administrator can enable advanced routing features such as RIB filtering,
BFD, multicast, and redistribution profiles for each virtual router on the firewall. The firewall requires a
reboot after enabling advanced routing to apply the changes.

117.An administrator creates a custom application containing Layer 7 signatures. The latest application
and threat dynamic update is downloaded to the same firewall. The update contains an application that
matches the same traffic signatures as the custom application.
Which application will be used to identify traffic traversing the firewall?
A. Custom application
B. Unknown application
C. Incomplete application
D. Downloaded application
Answer: A

118.The manager of the network security team has asked you to help configure the company's Security
Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned
you the Vulnerability Protection profile for the internet gateway firewall.
Which action and packet-capture setting for items of high severity and critical severity best matches Palo
Alto Networks best practice?
A. action 'reset-both' and packet capture 'extended-capture'
B. action 'default' and packet capture 'single-packet'
C. action 'reset-both' and packet capture 'single-packet'
D. action 'reset-server' and packet capture 'disable'
Answer: C
Explanation:
https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-
internet-gateway-security-policy/create-best-practice-security-profiles
"Enable extended-capture for critical, high, and medium severity events and single-packet capture for
low severity events. " https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-
help/objects/objects-security-profiles-vulnerability-protection

119.Which Panorama feature protects logs against data loss if a Panorama server fails?
A. Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
B. Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside
the Collector Group.
C. Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA
Cluster.
D. Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the
Collector Group
Answer: A The correct answer is B

120.A company has configured a URL Filtering profile with override action on their firewall.
Which two profiles are needed to complete the configuration? (Choose two)

46 / 92
 The safer , easier way to help you pass any IT exams.

A. SSUTLS Service
B. HTTP Server
C. Decryption
D. Interface Management
Answer: A,D

121.With the default TCP and UDP settings on the firewall, what will be the identified application in the
following session?

A. Incomplete
B. unknown-udp
C. Insufficient-data
D. not-applicable
Answer: B D is correct

122.Which statement about High Availability timer settings is true?

A. Use the Moderate timer for typical failover timer settings.
B. Use the Critical timer for taster failover timer settings.
C. Use the Recommended timer tor faster failover timer settings.
D. Use the Aggressive timer for taster failover timer settings
Answer: C

123.A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link.
They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone
which options differentiates multiple VLAN into separate zones?
A. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096 in the "Tag Allowed"
field of the V-Wire object.
B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag
Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for
untagged traffic. Assign each interface/sub interface to a unique zone.

47 / 92
 The safer , easier way to help you pass any IT exams.

C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual
router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterfacet
A. unique zone. Do not assign any interface an IP address.
D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for
every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface
to a unique zone.
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-interfaces/virtual-wire-
interfaces/vlan-tagged-traffic
Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to
connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN
(VLAN) tags. VLAN tag 0 indicates untagged traffic. You can also create multiple sub interfaces, add
them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN
tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags
or for VLAN tags from a specific source IP address, range, or subnet.

124.An engineer has discovered that certain real-time traffic is being treated as best effort due to it
exceeding defined bandwidth
Which QoS setting should the engineer adjust?
A. QoS profile: Egress Max
B. QoS interface: Egress Guaranteed
C. QoS profile: Egress Guaranteed
D. QoS interface: Egress Max
Answer: C
Explanation:
When the egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-effort basis.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-
bandwidth-management

125.During the implementation of SSL Forward Proxy decryption, an administrator imports the
company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root
and Intermediate CA certificates are also distributed to trusted devices using Group Policy and
GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA
chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust
certificates on the firewall for use with decryption?
A. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
C. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
D. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
Answer: B

126.An administrator has configured the Palo Alto Networks NGFW’s management interface to connect

48 / 92
 The safer , easier way to help you pass any IT exams.

to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?
A. A scheduler will need to be configured for application signatures.
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the
update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.
Answer: A
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-
help/device/device-dynamic-updates

127.An administrator analyzes the following portion of a VPN system log and notices the following issue
"Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type
IPv4 address protocol 0 port 0."
What is the cause of the issue?
A. IPSec crypto profile mismatch
B. IPSec protocol mismatch
C. mismatched Proxy-IDs
D. bad local and peer identification IP addresses in the IKE gateway
Answer: C
Explanation:
According to the Palo Alto Networks documentation, “A successful phase 2 negotiation requires not only
that the security proposals match, but also the proxy-ids on either peer, be a mirror image of each other.
So it is mandatory to configure the proxy-IDs whenever you establish a tunnel between the Palo Alto
Network firewall and the firewalls configured for policy-based VPNs.” The log message indicates that the
local and remote IDs are identical, which means they are not mirrored.
References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK

128.An enterprise information Security team has deployed policies based on AD groups to restrict user
access to critical infrastructure systems However a recent phisning campaign against the organization
has prompted Information Security to look for more controls that can secure access to critical assets For
users that need to access these systems Information Security wants to use PAN-OS multi-factor
authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA1?
A. Configure a Captive Porta1 authentication policy that uses an authentication profile that references a
RADIUS profile
B. Create an authentication profile and assign another authentication factor to be used by a Captive
Portal authentication policy
C. Configure a Captive Portal authentication policy that uses an authentication sequence
D. Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-

49 / 92
 The safer , easier way to help you pass any IT exams.

authentication

129.What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?
A. Phase 2 SAs are synchronized over HA2 links
B. Phase 1 and Phase 2 SAs are synchronized over HA2 links
C. Phase 1 SAs are synchronized over HA1 links
D. Phase 1 and Phase 2 SAs are synchronized over HA3 links
Answer: A
Explanation:
From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not
all IPSEC related information is synchronized between the firewalls... This is an expected behavior. IKE
phase 1 SA information is NOT synchronized between the HA firewalls."
And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security
associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always
unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCA
W&lang=en_US%E2%80%A9&refURL=https%3A%2F%2F2.zoppoz.workers.dev%3A443%2Fhttp%2Fknowledgebase.paloaltonetworks .com%2FKC
SArticleDetail

130.A company is looking to increase redundancy in their network.

Which interface type could help accomplish this?
A. Layer 2
B. Virtual wire
C. Tap
D. Aggregate ethernet
Answer: D
Explanation:
An aggregate group increases the bandwidth between peers by load balancing traffic across the
combined interfaces. It also provides redundancy https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-
networking-admin/configure-interfaces/configure-an-aggregate-interface-group#id9c0f5a8b-0aad-4be5-
821d-ef9d7c11a88d

131.A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward
Secrecy) needs to be enabled.
What action should the engineer take?
A. Add an authentication algorithm in the IPSec Crypto profile.
B. Enable PFS under the IPSec Tunnel advanced options.
C. Select the appropriate DH Group under the IPSec Crypto profile.
D. Enable PFS under the IKE gateway advanced options
Answer: D

132.A client wants to detect the use of weak and manufacturer-default passwords for loT devices.
Which option will help the customer?
A. Configure a Data Filtering profile with alert mode.

50 / 92
 The safer , easier way to help you pass any IT exams.

B. Configure an Antivirus profile with alert mode.

C. Configure a Vulnerability Protection profile with alert mode
D. Configure an Anti-Spyware profile with alert mode.
Answer: C

133.A firewall administrator is investigating high packet buffer utilization in the company firewall. After
looking at the threat logs and seeing many flood attacks coming from a single source that are dropped a
by the firewall, the administrator decides to enable packet butter protection to protect against similar
attacks.
The administrator enables packet buffer protection globally in the firewall but still sees a high packet
buffer utilization rate.
What else should the administrator do to stop packet buffers from being overflowed?
A. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.
B. Enable packet buffer protection for the affected zones.
C. Add a Zone Protection profile to the affected zones.
D. Apply DOS profile to security rules allow traffic from outside.
Answer: B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-
defense/packet-buffer-protection

134.Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose
three.)
A. Video Streaming Application
B. Destination Domain
C. Client Application Process
D. Source Domain
E. URL Category
Answer: B,C,E A, B, C is correct answer
Explanation:
The GlobalProtect Gateway supports three methods for split tunneling23:
✑ Access Route — You can define a list of IP addresses or subnets that are accessible through the VPN
tunnel. All other traffic goes directly to the internet.
✑ Domain and Application — You can define a list of domains or applications that are accessible
through the VPN tunnel. All other traffic goes directly to the internet. You can also use this method to
exclude specific domains or applications from the VPN tunnel.
✑ Video Traffic — You can exclude video streaming traffic from the VPN tunnel based on predefined
categories or custom URLs. This method reduces latency and jitter for video streaming applications.

135.An administrator is configuring SSL decryption and needs 10 ensure that all certificates for both SSL
Inbound inspection and SSL Forward Proxy are installed properly on the firewall.
When certificates are being imported to the firewall for these purposes, which three certificates require a
private key? (Choose three.)
A. Forward Untrust certificate

51 / 92
 The safer , easier way to help you pass any IT exams.

B. Forward Trust certificate

C. Enterprise Root CA certificate
D. End-entity (leaf) certificate
E. Intermediate certificate(s)
Answer: A,B,D A,B,D is correct answer
Explanation:
This is discussed in the Palo Alto Networks PCNSE Study Guide in Chapter 9: Decryption, under the
section "SSL Forward Proxy and Inbound Inspection Certificates":
"When importing SSL decryption certificates, you need to provide private keys for the forward trust,
forward untrust, and end-entity (leaf) certificates. You do not need to provide private keys for the root CA
and intermediate certificates."

136.An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10 2? (Choose three.)
A. PA-5000 Series
B. PA-500
C. PA-800 Series
D. PA-220
E. PA-3400 Series
Answer: C,D,E
Explanation:
According to the Palo Alto Networks Compatibility Matrix1, the three platforms that support PAN-OS 10.2
are:
✑ PA-800 Series2
✑ PA-2202
✑ PA-3400 Series2
The PA-5000 Series and PA-500 do not support PAN-OS 10.22.
To upgrade devices to PAN-OS 10.2 using Panorama, you need to determine the upgrade path3,
upgrade Panorama itself4, and then upgrade the firewalls using Panorama5.

137.PBF can address which two scenarios? (Select Two)

A. forwarding all traffic by using source port 78249 to a specific egress interface
B. providing application connectivity the primary circuit fails
C. enabling the firewall to bypass Layer 7 inspection
D. routing FTP to a backup ISP link to save bandwidth on the primary ISP link
Answer: B,D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-based-forwarding/use-case-
pbf-for-outbound-access-with-dual-isps

138.A web server is hosted in the DMZ and the server is configured to listen for incoming connections on
TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be
configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from
Trust to DMZ is being decrypted with a Forward Proxy rule.

52 / 92
 The safer , easier way to help you pass any IT exams.

Which combination of service and application, and order of Security policy rules, needs to be configured
to allow cJeartext web-browsing traffic to this server on tcp/443?
A. Rule #1 application: web-browsing; service application-default; action: allow
Rule #2-application: ssl; service: application-default; action: allow
B. Rule #1: application; web-browsing; service: service-https; action: allow
Rule #2 application: ssl; service: application-default, action: allow
C. Rule #1: application: web-browsing; service: service-http; action: allow
Rule #2: application: ssl; service: application-default; action: allow
D. Rule tf1 application: ssl; service: application-default; action: allow
Rule #2 application: web-browsing; service application-default; action: allow
Answer: B

139.How does Panorama prompt VMWare NSX to quarantine an infected VM?

A. Email Server Profile
B. Syslog Sewer Profile
C. SNMP Server Profile
D. HTTP Server Profile
Answer: B D is correct

140.An internal system is not functioning. The firewall administrator has determined that the incorrect
egress interface is being used. After looking at the configuration, the administrator believes that the
firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.)
A. no install on the route
B. duplicate static route
C. path monitoring on the static route
D. disabling of the static route
Answer: A,C
Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-
removal-based-on-path-monitoring.html
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/static-routes/configure-a-static-
route.html

141.When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn
on the feature inside which type of SD-WAN profile?
A. Certificate profile
B. Path Quality profile
C. SD-WAN Interface profile
D. Traffic Distribution profile
Answer: C
Explanation:
To enable forward error correction (FEC) for PAN-OS SD-WAN, you need to create an SD-WAN

53 / 92
 The safer , easier way to help you pass any IT exams.

Interface Profile that specifies Eligible for Error Correction Profile interface selection and apply the profile
to one or more interfaces. Then you need to create an Error Correction Profile to implement FEC or
packet duplication.
References: https://docs.paloaltonetworks.com/sd-wan/2-0/sd-wan-admin/configure-sd-wan/create-an-
error-correction-profile

142.The UDP-4501 protocol-port is used between which two GlobalProtect components?

A. GlobalProtect app and GlobalProtect gateway
B. GlobalProtect portal and GlobalProtect gateway
C. GlobalProtect app and GlobalProtect satellite
D. GlobalProtect app and GlobalProtect portal
Answer: A
Explanation:
UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/reference-port-
number-usage/ports-used-for-globalprotect.html

143.In a Panorama template which three types of objects are configurable? (Choose three)
A. certificate profiles
B. HIP objects
C. QoS profiles
D. security profiles
E. interface management profiles
Answer: A,C,E
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/use-case-configure-
firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/use-templates-to-administer-
a-base-configuration

144.Refer to the diagram.

Users at an internal system want to ssh to the SSH server. The server is configured to respond only to
the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be
configured on the firewall?
A)

54 / 92
 The safer , easier way to help you pass any IT exams.

B)

C)

D)

A. Option A

55 / 92
 The safer , easier way to help you pass any IT exams.

B. Option B
C. Option C
D. Option D
Answer: C

145.An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to
identify with App-ID.
Why would the application field display as incomplete?
A. The client sent a TCP segment with the PUSH flag set.
B. The TCP connection was terminated without identifying any application data.
C. There is insufficient application data after the TCP connection was established.
D. The TCP connection did not fully establish.
Answer: C D is correct answer

146.Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate
installed?
A. Cortex Data Lake
B. Panorama
C. On Palo Alto Networks Update Servers
D. M600 Log Collectors
Answer: A
Explanation:
The Device Telemetry data is stored on Cortex Data Lake3, which is a cloud-based service that collects
and stores logs from your firewalls and other sources. Cortex Data Lake also enables you to analyze and
visualize your data using various applications. To use Device Telemetry, you need to install a device
certificate on your firewall3. This certificate authenticates your firewall to Cortex Data Lake and encrypts
the data in transit.

147.An engineer is in the planning stages of deploying User-ID in a diverse directory services
environment.
Which server OS platforms can be used for server monitoring with User-ID?
A. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory
B. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange
C. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory
D. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory
Answer: B C is correct
Explanation:
https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-
agent-monitor

148.The firewall identifies a popular application as an unKnown-tcp.

Which two options are available to identify the application? (Choose two.)
A. Create a custom application.
B. Submit an App-ID request to Palo Alto Networks.

56 / 92
 The safer , easier way to help you pass any IT exams.

C. Create a custom object for the application server.

D. Create a Security policy to identify the custom application.
Answer: A,B

149.An engineer needs to see how many existing SSL decryption sessions are traversing a firewall
What command should be used?
A. show dataplane pool statistics I match proxy
B. debug dataplane pool statistics I match proxy
C. debug sessions I match proxy
D. show sessions all
Answer: B

150.Which GlobalProtect component must be configured to enable Clientless VPN?

A. GlobalProtect satellite
B. GlobalProtect app
C. GlobalProtect portal
D. GlobalProtect gateway
Answer: C
Explanation:
Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A new
gateway for accessing the GlobalProtect portal will appear. Client authentication can be used with an
existing one. https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5

151.An administrator is attempting to create policies tor deployment of a device group and template
stack. When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?
A. Specify the target device as the master device in the device group
B. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings
C. Add the template as a reference template in the device group
D. Add a firewall to both the device group and the template
Answer: C
Explanation:
According to the Palo Alto Networks documentation, “To use a template stack for a device group, you
must add the template stack as a reference template in the device group. This enables you to use zones
and interfaces defined in the template stack when creating policies for the device group.”
References: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-
firewalls/manage-templates-and-template-stacks

152.You need to allow users to access the office-suite applications of their choice.
How should you configure the firewall to allow access to any office-suite application?
A. Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
B. Create an Application Group and add business-systems to it.
C. Create an Application Filter and name it Office Programs, then filter it on the office programs
subcategory.

57 / 92
 The safer , easier way to help you pass any IT exams.

D. Create an Application Filter and name it Office Programs then filter on the business-systems category.
Answer: C
Explanation:
According to the Palo Alto Networks documentation, “Application filters enable you to create groups of
applications based on specific characteristics such as subcategory, technology, risk factor, and so on.
You can then use these groups in Security policy rules to allow or block access to the applications. For
example, you can create an application filter that includes all applications in the office-programs
subcategory and use it in a Security policy rule to allow access to any office-suite application.”
References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/manage-applications-
in-a-policy/use-application-filters-in-policy

153.What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the
GlobalProtect gateway?
A. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
B. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
C. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.
D. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
Answer: A Correct B

154.Before you upgrade a Palo Alto Networks NGFW, what must you do?
A. Make sure that the PAN-OS support contract is valid for at least another year
B. Export a device state of the firewall
C. Make sure that the firewall is running a version of antivirus software and a version of WildFire that
support the licensed subscriptions.
D. Make sure that the firewall is running a supported version of the app + threat update
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/pan-os-upgrade-
checklist#id53a2bc2b-f86e-4ee5-93d7-b06aff837a00 "Verify the minimum content release version."
Before you upgrade, make sure the firewall is running a version of app + threat (content version) that
meets the minimum requirement of the new PAN-OS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK

155.The administrator for a small company has recently enabled decryption on their Palo Alto Networks
firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust
certificate and set them as such
The admin has not yet installed the root certificate onto client systems
What effect would this have on decryption functionality?
A. Decryption will function and there will be no effect to end users
B. Decryption will not function because self-signed root certificates are not supported
C. Decryption will not function until the certificate is installed on client systems
D. Decryption will function but users will see certificate warnings for each SSL site they visit
Answer: D

58 / 92
 The safer , easier way to help you pass any IT exams.

156.Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be
taken?
A. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is
properly sized to support DoS and zone protection
B. Create a zone protection profile with flood protection configured to defend an entire egress zone
against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
C. Add a WildFire subscription to activate DoS and zone protection features
D. Replace the hardware firewall because DoS and zone protection are not available with VM-Series
systems
Answer: A
Explanation:
1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-
and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-
practices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%
20perimeter.
2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-
protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-
cps.html
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection.html

157.An administrator wants to enable WildFire inline machine learning.

Which three file types does WildFire inline ML analyze? (Choose three.)
A. MS Office
B. ELF
C. APK
D. VBscripts
E. Powershell scripts
Answer: C, D, E

158.Review the screenshot of the Certificates page.

An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned
Decryption roll out The administrator has also installed the sell-signed root certificate <n all client
systems When testing, they noticed that every time a user visited an SSL site they received unsecured
website warnings What is the cause of the unsecured website warnings.
A. The forward trust certificate has not been signed by the set-singed root CA certificate
B. The self-signed CA certificate has the same CN as the forward trust and untrust certificates
C. The forward untrust certificate has not been signed by the self-singed root CA certificate
D. The forward trust certificate has not been installed in client systems
Answer: C The correct answer is A

59 / 92
 The safer , easier way to help you pass any IT exams.

159.Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to
firewalls inside the DATACENTER_DG device group?
A. shared pre-rules
DATACENTER DG pre rules
rules configured locally on the firewall
shared post-rules
DATACENTER_DG post-rules
DATACENTER.DG default rules
B. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
shared post-rules
DATACENTER.DG post-rules
shared default rules
C. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
DATACENTER_DG post-rules
shared post-rules
shared default rules
D. shared pre-rules
DATACENTER_DG pre-rules
rules configured locally on the firewall
DATACENTER_DG post-rules
shared post-rules
DATACENTER_DG default rules
Answer: A

160.An engineer is tasked with enabling SSL decryption across the environment.
What are three valid parameters of an SSL Decryption policy? (Choose three.)
A. URL categories
B. source users
C. source and destination IP addresses
D. App-ID
E. GlobalProtect HIP
Answer: A,B,C

161.Which CLI command is used to determine how much disk space is allocated to logs?

60 / 92
 The safer , easier way to help you pass any IT exams.

A. show logging-status
B. show system info
C. debug log-receiver show
D. show system logdfo-quota show system logdb-quota
Answer: D

162.SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website
https //www important-website com certificate End-users are receiving me "security certificate is not
trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted
and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.
The network security administrator who represents the customer requires the following two behaviors
when SSL Forward Proxy is enabled:
1 End-users must not get the warning for the https://www.very-important-website.com website.
2 End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?
A. Navigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-
lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the
configuration
B. Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems
m the user and local computer stores
C. Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities
import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box
and commit the configuration
D. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the
configuration
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-certificate-
management-certificates/manage-default-trusted-certificate-authorities

163.How can an administrator use the Panorama device-deployment option to update the apps and
threat version of an HA pair of managed firewalls?
A. Configure the firewall's assigned template to download the content updates.
B. Choose the download and install action for both members of the HA pair in the Schedule object.
C. Switch context to the firewalls to start the download and install process.
D. Download the apps to the primary; no further action is required.
Answer: B
Explanation:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/use-case-
configure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/add-the-managed-
firewalls-and-deploy-updates

164.An organization wishes to roll out decryption but gets some resistance from engineering leadership
regarding the guest network.

61 / 92
 The safer , easier way to help you pass any IT exams.

What is a common obstacle for decrypting traffic from guest devices?

A. Guest devices may not trust the CA certificate used for the forward untrust certificate.
B. Guests may use operating systems that can't be decrypted.
C. The organization has no legal authority to decrypt their traffic.
D. Guest devices may not trust the CA certificate used for the forward trust certificate.
Answer: D
Explanation:
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-
practices/plan-ssl-decryption-best-practice-deployment https://live.paloaltonetworks.com/t5/general-
topics/decrypt-guest-network-traffic/td-p/119388

165.Which statement regarding HA timer settings is true?

A. Use the Recommended profile for typical failover timer settings
B. Use the Moderate profile for typical failover timer settings
C. Use the Aggressive profile for slower failover timer settings.
D. Use the Critical profile for faster failover timer settings.
Answer: A
Explanation:
The Recommended profile is the default profile that provides typical failover timer settings for most
deployments. The other profiles are designed for specific scenarios where faster or slower failover is
desired.
References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-
concepts/ha-timers

166.An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP
addresses to usernames. The company uses four Microsoft Active Directory servers and two Microsoft
Exchange servers, which can provide logs for login events.
All six servers have IP addresses assigned from the following subnet: 192.168 28.32/27. The Microsoft
Active Directory servers reside in 192.168.28.32/28. and the Microsoft Exchange servers resideL in
192.168.28 48/28
What information does the administrator need to provide in the User Identification > Discovery section?
A. The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for
each of the six servers
B. Network 192 168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28
with server type Microsoft Exchange
C. Network 192 168 28.32/27 with server type Microsoft
D. One IP address of a Microsoft Active Directory server and "Auto Discover" enabled to automatically
obtain all five of the other servers
Answer: A
Explanation:
The administrator needs to provide the IP address and corresponding server type (Microsoft Active
Directory or Microsoft Exchange) for each of the six servers in the User Identification > Discovery
section. The administrator should enter the network address of 192.168.28.32/28 and select “Microsoft
Active Directory” as the server type for the four Active Directory servers and enter the network address of

62 / 92
 The safer , easier way to help you pass any IT exams.

192.168.28.48/28 and select

“Microsoft Exchange” as the server type for the two Exchange servers. This will allow the User-ID agent
to discover and map the IP address of each server to the corresponding username.

167.What would allow a network security administrator to authenticate and identify a user with a new
BYOD-type device that is not joined to the corporate domain'?
A. a Security policy with 'known-user" selected in the Source User field
B. an Authentication policy with 'unknown' selected in the Source User field
C. a Security policy with 'unknown' selected in the Source User field
D. an Authentication policy with 'known-user' selected in the Source User field
Answer: B
Explanation:
An Authentication policy with ‘unknown’ selected in the Source User field would allow a network security
administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the
corporate domain. This policy would prompt the user to enter their credentials when they access a web-
based application or service that requires authentication. The firewall would then use User-ID to map the
user to the device and apply the appropriate security policies based on the user identity.
References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-an-
authentication-policy

168.An administrator wants multiple web servers In the DMZ to receive connections initiated from the
internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22.

Based on the image, which NAT rule will forward web-browsing traffic correctly?
A)

B)

63 / 92
 The safer , easier way to help you pass any IT exams.

C)

D)

A. Option
B. Option
C. Option
D. Option
Answer: B

169.Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data
Lake?
A. Legacy
B. Log Collector
C. Panorama
D. Management Only
Answer: D

170.An administrator needs to evaluate a recent policy change that was committed and pushed to a
firewall device group.
How should the administrator identify the configuration changes?
A. review the configuration logs on the Monitor tab
B. click Preview Changes under Push Scope
C. use Test Policy Match to review the policies in Panorama
D. context-switch to the affected firewall and use the configuration audit tool
Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-

64 / 92
 The safer , easier way to help you pass any IT exams.

interface/panorama-commit-operations.html

171.A standalone firewall with local objects and policies needs to be migrated into Panorama.
What procedure should you use so Panorama is fully managing the firewall?
A. Use the "import Panorama configuration snapshot" operation, then perform a device-group commit
push with "include device and network templates"
B. Use the "import device configuration to Panorama" operation, then "export or push device config
bundle" to push the configuration
C. Use the "import Panorama configuration snapshot" operation, then "export or push device config
bundle" to push the configuration
D. Use the "import device configuration to Panorama" operation, then perform a device-group commit
push with "include device and network templates"
Answer: B
Explanation:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall-
to-panorama-management/migrate-a-firewall-to-panorama-management.html

172.The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by
upgrading the Panorama servers, but gets an error when trying to install.
When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed
install?
A. Management only mode
B. Expired certificates
C. Outdated plugins
D. GlobalProtect agent version
Answer: A

173.An administrator needs firewall access on a trusted interface.

Which two components are required to configure certificate based, secure authentication to the web Ul?
(Choose two)
A. certificate profile
B. server certificate
C. SSH Service Profile
D. SSL/TLS Service Profile
Answer: A,D

174.An engineer is pushing configuration from Panorama lo a managed firewall.

What happens when the pushed Panorama configuration has Address Object names that duplicate the
Address Objects already configured on the firewall?
A. The firewall rejects the pushed configuration, and the commit fails.
B. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will
update the references to the objects accordingly and fully commit the pushed configuration.
C. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects
D. The firewall ignores only the pushed objects that have the same name as the locally configured

65 / 92
 The safer , easier way to help you pass any IT exams.

objects, and it will commit the rest of the pushed configuration.

Answer: A

175.DRAG DROP
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama
configuration Place the steps in order.

Answer:

Explanation:

66 / 92
 The safer , easier way to help you pass any IT exams.

Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical
support file.
Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.
Step 3. Upload or drag and drop the technical support file.
Step 4. Map the zone type and area of the architecture to each zone.
Step 5. Follow the steps to download the BPA report bundle.

176.A system administrator runs a port scan using the company tool as part of vulnerability check. The
administrator finds that the scan is identified as a threat and is dropped by the firewall. After further
investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.
What should the administrator do to allow the tool to scan through the firewall?
A. Remove the Zone Protection profile from the zone setting.
B. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone
Protection profile.
C. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS
Protection profile.
D. Change the TCP port scan action from Block to Alert in the Zone Protection profile.
Answer: C

177.View the screenshots.

67 / 92
 The safer , easier way to help you pass any IT exams.

A QoS profile and policy rules are configured as shown. Based on this information, which two statements
are correct? (Choose two.)
A. DNS has a higher priority and more bandwidth than SSH.
B. Google-video has a higher priority and more bandwidth than WebEx.
C. SMTP has a higher priority but lower bandwidth than Zoom.
D. Facetime has a higher priority but lower bandwidth than Zoom.
Answer: A,D

178.Which User-ID mapping method should be used in a high-security environment where all IP
address-to-user mappings should always be explicitly known?
A. PAN-OS integrated User-ID agent
B. GlobalProtect
C. Windows-based User-ID agent
D. LDAP Server Profile configuration
Answer: B

179.Where is information about packet buffer protection logged?

A. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and
blocked IP address are in the Threat log
B. All entries are in the System log
C. Alert entries are in the System log. Entries for dropped traffic, discarded sessions and
blocked IP addresses are in the Threat log
D. All entries are in the Alarms log
Answer: D C is correct answer
Explanation:

68 / 92
 The safer , easier way to help you pass any IT exams.

Graphical user interface, text, application

Description automatically generated

180.Which statement best describes the Automated Commit Recovery feature?

A. It performs a connectivity check between the firewall and Panorama after every configuration commit
on the firewall. It reverts the configuration changes on the firewall if the check fails.
B. It restores the running configuration on a firewall and Panorama if the last configuration commit fails.
C. It performs a connectivity check between the firewall and Panorama after every configuration commit
on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.
D. It restores the running configuration on a firewall if the last configuration commit fails.
Answer: A

181.Review the images.

69 / 92
 The safer , easier way to help you pass any IT exams.

A firewall policy that permits web traffic includes the.

What is the result of traffic that matches the "Alert - Threats" Profile Match List?
A. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for
180 minutes.
B. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180
minutes.
C. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180
minutes.
D. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180
minutes.
Answer: D C is correct answer

182.Using multiple templates in a stack to manage many firewalls provides which two advantages?
(Choose two.)
A. inherit address-objects from templates
B. define a common standard template configuration for firewalls
C. standardize server profiles and authentication configuration across all stacks
D. standardize log-forwarding profiles for security polices across all stacks
Answer: B,C C & D is correct answer
Explanation:
Using multiple templates in a stack to manage many firewalls provides the advantages of defining a
common standard template configuration for firewalls and standardizing server profiles and
authentication configuration across all stacks. A template stack is a container for multiple templates that
you can assign to firewalls and firewall groups. The templates in a stack are prioritized so that the
settings in a higher-priority template override the same settings in a lower-priority template. This allows
you to create a hierarchy of templates that define common settings for all firewalls and specific settings
for different groups of firewalls.
References: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-
firewalls/manage-templates-and-template-stacks

183.What are two best practices for incorporating new and modified App-IDs? (Choose two)
A. Configure a security policy rule to allow new App-lDs that might have network-wide impact
B. Study the release notes and install new App-IDs if they are determined to have low impact
C. Perform a Best Practice Assessment to evaluate the impact or the new or modified App-IDs
D. Run the latest PAN-OS version in a supported release tree to have the best performance for the new
App-IDs
Answer: A,B

184.Which statement accurately describes service routes and virtual systems?

A. Virtual systems that do not have specific service routes configured inherit the global service and
service route settings for the firewall.
B. Virtual systems can only use one interface for all global service and service routes of the firewall.
C. Virtual systems cannot have dedicated service routes configured; and virtual systems always use the
global service and service route settings for the firewall.

70 / 92
 The safer , easier way to help you pass any IT exams.

D. The interface must be used for traffic to the required external services.
Answer: A

185.A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their
DMZ to prevent the hosted service from being exploited.
Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS
encapsulation?
A. Decryption policy and a Data Filtering profile
B. a WildFire profile and a File Blocking profile
C. Vulnerability Protection profile and a Decryption policy
D. a Vulnerability Protection profile and a QoS policy
Answer: C

186.What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect
user?
A. SSL/TLS Service profile
B. Certificate profile
C. SCEP
D. OCSP Responder
Answer: C

187.A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an
external router using the BGP protocol. The peer relationship is not establishing.
What command could the engineer run to see the current state of the BGP state between the two
devices?
A. show routing protocol bgp state
B. show routing protocol bgp peer
C. show routing protocol bgp summary
D. show routing protocol bgp rib-out
Answer: C
Explanation:
The show routing protocol bgp summary command displays the current state of the BGP peer
relationship between the firewall and other BGP routers. The output includes the peer IP address, AS
number, uptime, prefix count, state, and status codes.
References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/use-the-cli/show-the-
routing-table-and-statistics

188.A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto
Networks NGFW.
Which interface type is best suited to provide the raw data for an SLR from the network in a way that is
minimally invasive?
A. Layer 3
B. Virtual Wire
C. Tap

71 / 92
 The safer , easier way to help you pass any IT exams.

D. Layer 2
Answer: C
Explanation:
A tap interface is best suited to provide the raw data for an SLR from the network in a way that is
minimally invasive. A tap interface allows the firewall to passively monitor network traffic without affecting
the flow of traffic. The firewall can analyze the traffic and generate reports based on the application, user,
content, and threat information.
References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-
interfaces/configure-a-tap-interface

189.Which feature checks Panorama connectivity status after a commit?

A. Automated commit recovery
B. Scheduled config export
C. Device monitoring data under Panorama settings
D. HTTP Server profiles
Answer: A

190.A remote administrator needs firewall access on an untrusted interface.

Which two components are required on the firewall to configure certificate-based administrator
authentication to the web Ul? (Choose two)
A. client certificate
B. certificate profile
C. certificate authority (CA) certificate
D. server certificate
Answer: B,C
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-
administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-
administrator-authentication-to-the-web-interface.html

191.Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three)
A. SSH key
B. User logon
C. Short message service
D. One-Time Password
E. Push
Answer: B,D,E C,D,E are correct answer
Explanation:
According to Palo Alto Networks documentation123, multi-factor
authentication (MFA) is a method of verifying a user’s identity using two or more factors, such as
something they know, something they have, or something they are.
The firewall supports MFA for administrative access, GlobalProtect VPN access, and Captive Portal
access. The firewall can integrate with external MFA providers such as RSA SecurID, Duo Security, or
Okta Verify.

72 / 92
 The safer , easier way to help you pass any IT exams.

The three firewall MFA factors that are supported by PAN-OS are:
✑ User logon: This is something the user knows, such as a username and password.
✑ One-Time Password: This is something the user has, such as a code generated by an app or sent by
email or SMS.
✑ Push: This is something the user is, such as a biometric verification or a device approval.

192.An engineer has been asked to limit which routes are shared by running two different areas within
an OSPF implementation. However, the devices share a common link for communication.
Which virtual router configuration supports running multiple instances of the OSPF protocol over a single
link?
A. ASBR
B. ECMP
C. OSPFv3
D. OSPF
Answer: C
Explanation:
Support for multiple instances per link—With OSPFv3, you can run multiple
instances of the OSPF protocol over a single link. This is accomplished by assigning an
OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets
that contain a different ID.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ospf/ospf-
concepts/ospfv3

193.What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption?
(Choose two.)
A. the website matches a category that is not allowed for most users
B. the website matches a high-risk category
C. the web server requires mutual authentication
D. the website matches a sensitive category
Answer: C,D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusions/palo-alto-
networks-predefined-decryption-exclusions.html
The firewall provides a predefined SSL Decryption Exclusion list to exclude from decryption commonly
used sites that break decryption because of technical reasons such as pinned certificates and mutual
authentication.

194.Which data flow describes redistribution of user mappings?

A. User-ID agent to firewall
B. firewall to firewall
C. Domain Controller to User-ID agent
D. User-ID agent to Panorama
Answer: B
Explanation:

73 / 92
 The safer , easier way to help you pass any IT exams.

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-firewalls-to-
redistribute-user-mapping-information https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-
id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-
timestamps/firewall-deployment-for-user-id-redistribution.html#ide3661b46-4722-4936-bb9b-
181679306809

195.What type of address object would be useful for internal devices where the addressing structure
assigns meaning to certain bits in the address, as illustrated in the diagram?

A. IP Netmask
B. IP Wildcard Mask
C. IP Address
D. IP Range
Answer: B

196.What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)
A. Destination Zone
B. App-ID
C. Custom URL Category
D. User-ID
E. Source Interface
Answer: A,C,D
Explanation:
The valid qualifiers for a Decryption Policy Rule match are:
✑ Source Zone
✑ Destination Zone
✑ Source Address
✑ Destination Address
✑ Source User
✑ Destination User
✑ Source Region
✑ Destination Region
✑ Service/URL Category
✑ Custom URL Category
✑ URL Filtering Profile
Therefore, out of the options given, Destination Zone, Custom URL Category, and User-ID are valid
qualifiers.

74 / 92
 The safer , easier way to help you pass any IT exams.

References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-
decryption-policies.html

197.After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed
commit with the following details.

What are two explanations for this type of issue? (Choose two)
A. The peer IP is not included in the permit list on Management Interface Settings
B. The Backup Peer HA1 IP Address was not configured when the commit was issued
C. Either management or a data-plane interface is used as HA1-backup
D. One of the firewalls has gone into the suspended state
Answer: B,C
Explanation:
Cause The issue is seen when the HA1-backup is configured with either management (MGT) or an in-
band interface. The "Backup Peer HA1 IP Address" is not configured:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UmPCAU&lang=en_U
S%E2%80%A9

198.A network security engineer configured IP multicast in the virtual router to support a new application.
Users in different network segments are reporting that they are unable to access the application.
What must be enabled to allow an interface to forward multicast traffic?
A. IGMP
B. PIM
C. BFD
D. SSM
Answer: B
Explanation:
A protocol that enables routers to forward multicast traffic efficiently based on
the source and destination addresses. PIM can operate in two modes: sparse mode (PIM-SM) or dense
mode (PIM-DM). PIM-SM uses a rendezvous point (RP) as a central point for distributing multicast traffic,
while PIM-DM uses flooding and pruning techniques2.
to enable PIM on the interface which allows routers to forward multicast traffic using either sparse mode
or dense mode depending on your network topology and requirements.

199.Refer to the exhibit.

75 / 92
 The safer , easier way to help you pass any IT exams.

Review the screenshots and consider the following information:

• FW-1 is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DG.
• There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
Which IP address will be pushed to the firewalls inside Address Object Server-1?
A. Server-1 on FW-1 will have IP 1.1.1.1. Server-1 will not be pushed to FW-2.
B. Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.
C. Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.
D. Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1.
Answer: C

200.Which source is the most reliable for collecting User-ID user mapping?
A. GlobalProtect
B. Microsoft Active Directory
C. Microsoft Exchange
D. Syslog Listener
Answer: A

76 / 92
 The safer , easier way to help you pass any IT exams.

Explanation:
User-ID is a feature that enables you to identify and control users on your network based on their
usernames instead of their IP addresses1. User mapping is the process of mapping IP addresses to
usernames using various sources of information1. The most reliable source for collecting User-ID user
mapping is GlobalProtect2.
GlobalProtect is a solution that provides secure access to your network and resources from anywhere.
GlobalProtect agents on endpoints send user mapping information directly to the firewall or Panorama,
which eliminates the need for probing other sources2. GlobalProtect also supports dynamic IP address
changes and roaming users2.

201.An administrator is receiving complaints about application performance degradation. After checking
the ACC. the administrator observes that there Is an excessive amount of SSL traffic
Which three elements should the administrator configure to address this issue? (Choose
three.)
A. QoS on the ingress Interface for the traffic flows
B. An Application Override policy for the SSL traffic
C. A QoS policy for each application ID
D. A QoS profile defining traffic classes
E. QoS on the egress interface for the traffic flows
Answer: B,C,D

202.Where can an administrator see both the management-plane and data-plane CPU utilization in the
WebUI?
A. System Resources widget
B. System Logs widget
C. Session Browser
D. General Information widget
Answer: A
Explanation:
The System Resources widget of the Exadata WebUI, displays a real-time overview of the various
resources like CPU, Memory, and I/O usage across the entire Exadata Database Machine. It shows the
usage of both management-plane and data-plane CPU utilization.
System Resources Widget Displays the Management CPU usage, Data Plane usage, and the Session
Count (the number of sessions established through the firewall or Panorama).
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/dashboard/dashboard-
widgets.html

203.What is the best definition of the Heartbeat Interval?

A. The interval in milliseconds between hello packets
B. The frequency at which the HA peers check link or path availability
C. The frequency at which the HA peers exchange ping
D. The interval during which the firewall will remain active following a link monitor failure
Answer: A C is correct answer
Explanation:

77 / 92
 The safer , easier way to help you pass any IT exams.

According to the Palo Alto Networks Knowledge Base12, the best definition of the Heartbeat Interval is A.
The interval in milliseconds between hello packets.
The Heartbeat Interval is a CLI command that configures how often an HA peer sends an ICMP ping to
its partner through the HA control link. The ping verifies network connectivity and ensures that the peer
kernel is responsive. The default value is 1000ms for all Palo Alto Networks platforms.

204.Your company occupies one floor in a single building. You have two Active Directory domain
controllers on a single network. The firewall's management-plane resources are lightly utilized.
Given the size of this environment, which User-ID collection method is sufficient?
A. Citrix terminal server agent deployed on the network
B. Windows-based agent deployed on each domain controller
C. PAN-OS integrated agent deployed on the firewall
D. a syslog listener
Answer: C

205.An engineer is creating a template and wants to use variables to standardize the configuration
across a large number of devices
Which Mo variable types can be defined? (Choose two.)
A. Path group
B. Zone
C. IP netmask
D. FQDN
Answer: C,D

206.An engineer has been given approval to upgrade their environment 10 PAN-OS 10 2
The environment consists of both physical and virtual firewalls a virtual Panorama HA pair, and virtual log
collectors
What is the recommended order when upgrading to PAN-OS 10.2?
A. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls
B. Upgrade the firewalls upgrade log collectors, upgrade Panorama
C. Upgrade the firewalls upgrade Panorama, upgrade the log collectors
D. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama
Answer: B

207.A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny."
Which action will this configuration cause on the matched traffic?
A. The Profile Settings section will be grayed out when the Action is set to "Deny"
B. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
C. The configuration will allow the matched session unless a vulnerability signature is detected.
D. The "Deny" action will supersede the per-severity defined actions defined in the associated
Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.
Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"
Answer: D
Explanation:

78 / 92
 The safer , easier way to help you pass any IT exams.

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security-profiles.html
First note in above link states:
"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan
traffic after the application or category is allowed by the security policy."
The first thing the firewall checks per it's flow is the security policy match and action. The Security Profile
never gets checked if a match happens on a policy set to deny that match.

208.SAML SLO is supported for which two firewall features? (Choose two.)
A. GlobalProtect Portal
B. CaptivePortal
C. WebUI
D. CLI
Answer: A,B A and C is correct
Explanation:
SSO is available to administrators who access the web interface and to end users who access
applications through GlobalProtect or Captive Portal. SLO is available to administrators and
GlobalProtect end users, but not to Captive Portal end users.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-server-profiles-
saml-identity-provider

209.An administrator has configured a pair of firewalls using high availability in Active/Passive mode.
Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group
configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set
to "all."
Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?
A. Non-functional
B. Passive
C. Active-Secondary
D. Active
Answer: D

210.A customer is replacing their legacy remote access VPN solution The current solution is in place to
secure only internet egress for the connected clients Prisma Access has been selected to replace the
current remote access VPN solution During onboarding the following options and licenses were selected
and enabled
- Prisma Access for Remote Networks 300Mbps
- Prisma Access for Mobile Users 1500 Users
- Cortex Data Lake 2TB
- Trusted Zones trust
- Untrusted Zones untrust
- Parent Device Group shared
How can you configure Prisma Access to provide the same level of access as the current VPN solution?
A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound

79 / 92
 The safer , easier way to help you pass any IT exams.

to the internet
B. Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the
desired traffic outbound to the internet
C. Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow
the desired traffic outbound to the internet
D. Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound
to the internet
Answer: D A is correct answer

211.An engineer is tasked with configuring SSL forward proxy for traffic going to external sites.
Which of the following statements is consistent with SSL decryption best practices?
A. The forward trust certificate should not be stored on an HSM.
B. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.
C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL
decryption
D. The forward untrust certificate should not be signed by a Trusted Root CA
Answer: B
Explanation:
According to the PCNSE Study Guide1, SSL forward proxy is a feature that allows the firewall to decrypt
and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client and the
server, generating a certificate on the fly for each site.
The best practices for configuring SSL forward proxy are23:
✑ Use a forward trust certificate that is signed by a certificate authority (CA) that is trusted by the clients.
This certificate is used to sign certificates for sites that have valid certificates from trusted CAs. The
clients will not see any certificate errors if they trust the forward trust certificate.
✑ Use a forward untrust certificate that is not signed by a trusted CA. This certificate is used to sign
certificates for sites that have invalid or untrusted certificates. The clients will see certificate errors if they
do not trust the forward untrust certificate.
This helps alert users of potential risks and prevent man-in-the-middle attacks.
✑ Do not store the forward trust or untrust certificates on an HSM (hardware security module). The HSM
does not support on-the-fly signing of certificates, which is required for SSL forward proxy.

212.An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?
A. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all
its vsys in a single device group.
B. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall,
which must have all its vsys in a single device group.
C. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each
vsys in a different device group.
D. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have
each vsys in a different device group.
Answer: A C is correct

80 / 92
 The safer , easier way to help you pass any IT exams.

213.A company has configured GlobalProtect to allow their users to work from home. A decrease in
performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
A. Exclude video traffic
B. Enable decryption
C. Block traffic that is not work-related
D. Create a Tunnel Inspection policy
Answer: A,C
Explanation:
This is because excluding video traffic from being sent over the VPN will reduce the amount of
bandwidth being used during peak hours, allowing more bandwidth to be available for other types of
traffic. Blocking non-work related traffic will also reduce the amount of bandwidth being used, further
freeing up bandwidth for work-related traffic. Enabling decryption and creating a Tunnel Inspection policy
are not likely to mitigate the issue of decreased performance during peak-use hours, as they do not
directly address the issue of limited bandwidth availability during these times.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW

214.A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports >
New Application to monitor new applications on the network and better assess any Security policy
updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
A. It matches to the New App-IDs downloaded in the last 30 days.
B. It matches to the New App-IDs downloaded in the last 90 days
C. It matches to the New App-IDs installed since the last time the firewall was rebooted
D. It matches to the New App-IDs in the most recently installed content releases.
Answer: D
Explanation:
When creating a new App-ID report under Monitor > Reports > Application Reports > New Application,
the firewall identifies new applications based on the New App-IDs in the most recently installed content
releases. The New App-IDs are the application signatures that have been added in the latest content
release, which can be found under Objects > Security Profiles > Application. This allows the engineer to
monitor any new applications that have been added to the firewall's database and evaluate whether to
allow or block them with a Security policy update.

215.A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime
stats within the GUI. Where can they find this information?
A. Routes listed in the routing table with flags Oi
B. Routes listed in the routing table with flags A?B
C. Under the BGP Summary tab
D. Routes listed in the forwarding table with BGP in the Protocol column
Answer: B
Explanation:
Flags
A B—Active and learned via BGP

81 / 92
 The safer , easier way to help you pass any IT exams.

A C—Active and a result of an internal interface (connected) - Destination = network

A H—Active and a result of an internal interface (connected) - Destination = Host only
A R—Active and learned via RIP
A S—Active and static
S—Inactive (because this route has a higher metric) and static
O1—OSPF external type-1
O2—OSPF external type-2
Oi—OSPF intra-area
Oo—OSPF inter-area

216.When using certificate authentication for firewall administration, which method is used for
authorization?
A. Radius
B. LDAP
C. Kerberos
D. Local
Answer: D
Explanation:
Authentication: Certificates Authorization: Local The administrative accounts are local to the firewall, but
authentication to the web interface is based on client certificates. You use the firewall to manage role
assignments but access domains are not supported.

217.An administrator device-group commit push is tailing due to a new URL category
How should the administrator correct this issue?
A. verify that the URL seed Tile has been downloaded and activated on the firewall
B. change the new category action to alert" and push the configuration again
C. update the Firewall Apps and Threat version to match the version of Panorama
D. ensure that the firewall can communicate with the URL cloud
Answer: C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNqw

218.A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel.
The administrator determines that the lifetime needs to be changed to match the peer.
Where should this change be made?
A. IKE Gateway profile
B. IPSec Crypto profile
C. IPSec Tunnel settings
D. IKE Crypto profile
Answer: C B is correct answer

219.DRAG DROP
Place the steps in the WildFire process workflow in their correct order.

82 / 92
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:

83 / 92
 The safer , easier way to help you pass any IT exams.

Timeline
Description automatically generated
https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/about-wildfire.html

220.What are two valid deployment options for Decryption Broker? (Choose two)
A. Transparent Bridge Security Chain
B. Layer 3 Security Chain
C. Layer 2 Security Chain
D. Transparent Mirror Security Chain
Answer: A,B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-broker/decryption-
broker-concepts

221.Which statement is correct given the following message from the PanGPA log on the GlobalProtect
app?
Failed to connect to server at port:47 67
A. The PanGPS process failed to connect to the PanGPA process on port 4767
B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
C. The PanGPA process failed to connect to the PanGPS process on port 4767
D. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
Answer: D C is correct answer

84 / 92
 The safer , easier way to help you pass any IT exams.

222.Which three multi-factor authentication methods can be used to authenticate access to the firewall?
(Choose three.)
A. One-time password
B. User certificate
C. Voice
D. SMS
E. Fingerprint
Answer: A,B,E A, C and D are correct answer
Explanation:
The three multi-factor authentication methods that can be used to authenticate access to the firewall are
One-time Password (OTP), User Certificate, and Fingerprint.
One-time Password (OTP) is a form of two-factor authentication in which a token or code is generated
and sent to the user over a secure connection. The user then enters the code to authenticate their
access.
User Certificate is a form of two-factor authentication in which the user is required to present a valid
certificate in order to access the system. The certificate is usually stored on a physical device, such as a
USB drive, and is usually issued by the authentication service provider.
Fingerprint is a form of two-factor authentication in which the user is required to present a valid
fingerprint in order to access the system. The fingerprint is usually stored on a physical device, such as a
fingerprint reader, and is usually issued by the authentication service provider.

223.An engineer must configure the Decryption Broker feature. To which router must the engineer assign
the decryption forwarding interfaces that are used in Decryption Broker security chain?
A. A virtual router that has no additional interfaces for passing data-type traffic and no other configured
routes than those used for the security chain.
B. The default virtual router. If there is no default virtual router, the engineer must create one during
setup.
C. A virtual router that is configured with at least one dynamic routing protocol and has at least one entry
in the RIB
D. The virtual router that routes the traffic that the Decryption Broker security chain inspects.
Answer: D
Explanation:
Decryption Broker is a feature that allows you to use a Palo Alto Networks firewall as a decryption broker
for other security devices in your network1. It works by decrypting traffic on one interface and forwarding
it to another interface where it can be inspected by other devices before being re-encrypted and sent to
its destination2. The firewall acts as a transparent bridge between the two interfaces and does not
change the source or destination IP addresses of the traffic2.
To configure Decryption Broker, you need to assign decryption forwarding interfaces (DFIs) to the virtual
router that routes the traffic that you want to inspect. The DFIs are used to forward decrypted traffic from
one interface to another in a security chain3. A security chain is a set of devices that perform different
security functions on the same traffic flow3. You can have multiple security chains for different types of
traffic or different segments of your network3.
The reason why you need to assign DFIs to the virtual router that routes the traffic is because Decryption
Broker uses routing tables to determine which DFI belongs to which security chain and how to forward

85 / 92
 The safer , easier way to help you pass any IT exams.

traffic between them2. If you assign DFIs to a different virtual router than the one that routes the traffic,
Decryption Broker will not be able to find them or forward traffic correctly2.

224.Which statement is true regarding a Best Practice Assessment?

A. It shows how your current configuration compares to Palo Alto Networks recommendations
B. It runs only on firewalls
C. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you
should focus prevention activities.
D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of
network and security architecture
Answer: A

225.Which CLI command displays the physical media that are connected to ethernet1/8?
A. > show system state filter-pretty sys.si.p8.stats
B. > show system state filter-pretty sys.sl.p8.phy
C. > show interface ethernet1/8
D. > show system state filter-pretty sys.sl.p8.med
Answer: B
Explanation:
Example output:
> show system state filter-pretty sys.s1.p1.phy
sys.s1.p1.phy: {
link-partner: { },
media: CAT5,
type: Ethernet,
}
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC

226.Which steps should an engineer take to forward system logs to email?

A. Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding
profile > set log type to system and the add email profile.
B. Enable log forwarding under the email profile in the Objects tab.
C. Create a new email profile under Device > server profiles: then navigate to Device > Log Settings >
System and add the email profile under email.
D. Enable log forwarding under the email profile in the Device tab.
Answer: C

227.An engineer must configure the Decryption Broker feature

Which Decryption Broker security chain supports bi-directional traffic flow?
A. Layer 2 security chain
B. Layer 3 security chain
C. Transparent Bridge security chain
D. Transparent Proxy security chain
Answer: B

86 / 92
 The safer , easier way to help you pass any IT exams.

Explanation:
Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only
interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security
chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional)
determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which
interface receives the traffic back from the security chain after it has undergone additional enforcement.

228.A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the
virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had
the following directories: /config, /license and /software
Why did the bootstrap process fail for the VM-Series firewall in Azure?
A. All public cloud deployments require the /plugins folder to support proper firewall native integrations
B. The /content folder is missing from the bootstrap package
C. The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from
successfully completing
D. The /config or /software folders were missing mandatory files to successfully bootstrap
Answer: B
Explanation:
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-
firewall/bootstrap-the-vm-series-firewall-in-azure
The bootstrap process failed for the VM-Series firewall in Azure because the /content folder is missing
from the bootstrap package 1.
References: 1: Bootstrap the VM-Series Firewall on Azure - Palo Alto Networks

229.An organization is interested in migrating from their existing web proxy architecture to the Web
Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address
of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
A. DNS proxy
B. Explicit proxy
C. SSL forward proxy
D. Transparent proxy
Answer: D
Explanation:
A transparent proxy is a type of web proxy that intercepts and redirects HTTP and HTTPS requests
without requiring any configuration on the client browser1. The firewall acts as a gateway between the
client and the web server, and performs security checks on the traffic.
A transparent proxy can be configured on PAN-OS 11.0 firewalls by performing the following steps1:
✑ Enable Web Proxy under Device > Setup > Services
✑ Select Transparent Proxy as the Proxy Type
✑ Configure a Service Route for Web Proxy
✑ Configure SSL/TLS Service Profile for Web Proxy
✑ Configure Security Policy Rules for Web Proxy Traffic
By configuring a transparent proxy on PAN-OS 11.0 firewalls, an organization can migrate from their

87 / 92
 The safer , easier way to help you pass any IT exams.

existing web proxy architecture without changing their network topology or client settings2. The firewall
will maintain the same type of traffic flow as before, where HTTP and HTTPS requests contain the IP
address of the web server and the client browser is redirected to the proxy1.
Answer A is not correct because DNS proxy is a type of web proxy that intercepts DNS queries from
clients and resolves them using an external DNS server3. This type of proxy does not redirect HTTP or
HTTPS requests to the firewall.

230.How would an administrator monitor/capture traffic on the management interface of the Palo Alto
Networks NGFW?
A. Use the debug dataplane packet-diag set capture stage firewall file command.
B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
C. Use the debug dataplane packet-diag set capture stage management file command.
D. Use the tcpdump command.
Answer: D
Explanation:
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-
p/62390
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take-a-
packet-capture-on-the-management-interface.html

231.A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall
to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
A. Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric
Path" to Bypass
B. > set session tcp-reject-non-syn no
C. Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set
"Asymmetric Path" to Global
D. # set deviceconfig setting session tcp-reject-non-syn no
Answer: C,D A & D is correct answer

232.A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4. 2.2.2 for
the IP address of the web server, www,xyz.com. The DNS server returns an address of 172.16.15.1
In order to reach Ire web server, which Security rule and NAT rule must be configured on the firewall?

A)

88 / 92
 The safer , easier way to help you pass any IT exams.

B)

C)

D)

A. Option A
B. Option B
C. Option C
D. Option D
Answer: C

233.Which three items are import considerations during SD-WAN configuration planning? (Choose
three.)
A. link requirements
B. the name of the ISP
C. IP Addresses
D. branch and hub locations
Answer: A,C,D
Explanation:
https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-
configuration

234.You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log
Collectors to 10.2, you must do what?
A. Upgrade the Log Collectors one at a time.
B. Add Panorama Administrators to each Managed Collector.
C. Add a Global Authentication Profile to each Managed Collector.
D. Upgrade all the Log Collectors at the same time.
Answer: D

235.An administrator needs to optimize traffic to prefer business-critical applications over non-critical
applications QoS natively integrates with which feature to provide service quality?
A. certificate revocation
B. Content-ID

89 / 92
 The safer , easier way to help you pass any IT exams.

C. App-ID
D. port inspection
Answer: C

236.An administrator is seeing one of the firewalls in a HA active/passive pair moved to 'suspended"
state due to Non-functional loop.
Which three actions will help the administrator troubleshool this issue? (Choose three.)
A. Use the CLI command show high-availability flap-statistics
B. Check the HA Link Monitoring interface cables.
C. Check the High Availability > Link and Path Monitoring settings.
D. Check High Availability > Active/Passive Settings > Passive Link State
E. Check the High Availability > HA Communications > Packet Forwarding settings.
Answer: A,B,C B,C, D is correct answer

237.What is the function of a service route?

A. The service route is the method required to use the firewall's management plane to provide services
to applications
B. The service packets enter the firewall on the port assigned from the external service. The server
sends its response to the configured destination interface and destination IP address
C. The service packets exit the firewall on the port assigned for the external service. The server sends its
response to the configured source interface and source IP address
D. Service routes provide access to external services such as DNS servers external authentication
servers or Palo Alto Networks services like the Customer Support Portal
Answer: C

238.A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business
application uptime requirements.
What is the correct setting?
A. Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
B. Change the HA timer profile to "fast".
C. Change the HA timer profile to "user-defined" and manually set the timers.
D. Change the HA timer profile to "quick" and customize in advanced profile.
Answer: C A is correct
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activepassive-
ha/configure-activepassive-ha
In an A/P HA pair, HA (High Availability) timers are used to determine how quickly the firewall should fail
over in case of a failure. Typically, the firewall administrator can choose between several predefined
timer profiles such as "normal", "aggressive", and "fast". Changing the HA timer profile to "user-defined"
and manually setting the timers would allow the administrator to fine-tune the failover timing and make
sure it meets the uptime requirements for the critical business applications. This approach allows the
administrator to set the timers to the lowest possible value without compromising the stability and
security of the firewall.

90 / 92
 The safer , easier way to help you pass any IT exams.

239.What is the best description of the HA4 Keep-Alive Threshold (ms)?

A. the maximum interval between hello packets that are sent to verify that the HA functionality on the
other firewall is operational.
B. The time that a passive or active-secondary firewall will wait before taking over as the active or active-
primary firewall
C. the timeframe within which the firewall must receive keepalives from a cluster member to know that
the cluster member is functional.
D. The timeframe that the local firewall wait before going to Active state when another cluster member is
preventing the cluster from fully synchronizing.
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/configure-ha-clustering

240.An administrator needs to build Security rules in a Device Group that allow traffic to specific users
and groups defined in Active Directory
What must be configured in order to select users and groups for those rules from Panorama?
A. The Security rules must be targeted to a firewall in the device group and have Group Mapping
configured
B. A master device with Group Mapping configured must be set in the device group where the Security
rules are configured
C. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same
mappings
D. A User-ID Certificate profile must be configured on Panorama
Answer: B

241.A firewall administrator has been tasked with ensuring that all Panorama configuration is committed
and pushed to the devices at the end of the day at a certain time.
How can they achieve this?
A. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
B. Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to
commit all Panorama changes.
C. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to
commit all Panorama changes.
D. Use the Scheduled Config Push taschedule Commit to Panorama and also Push to Devices.
Answer: D

242.When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can
be implemented using phased approach in alignment with Palo Alto Networks best practices
What should you recommend?
A. Enable SSL decryption for known malicious source IP addresses
B. Enable SSL decryption for source users and known malicious URL categories
C. Enable SSL decryption for malicious source users
D. Enable SSL decryption for known malicious destination IP addresses
Answer: B

91 / 92
 The safer , easier way to help you pass any IT exams.

Explanation:
According to the Palo Alto Networks best practices, one of the ways to implement SSL decryption using
a phased approach is to enable SSL decryption for source users and known malicious URL categories.
This will allow you to block or alert on traffic that is likely to be malicious or risky, while minimizing the
impact on legitimate traffic and user privacy.
References: https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-
best-practices/deploy-ssl-decryption-using-a-phased-approach

243.Given the following snippet of a WildFire submission log. did the end-user get access to the
requested information and why or why not?

A. Yes. because the action is set to "allow ''

B. No because WildFire categorized a file with the verdict "malicious"
C. Yes because the action is set to "alert"
D. No because WildFire classified the seventy as "high."
Answer: A
Explanation:
Threats that have the ability to become critical but have mitigating factors; for example, they may be
difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. WildFire
Submissions log entries with a malicious verdict and an action set to allow are logged as High.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage-logs/log-
types-and-severity-levels/threat-logs#id5cea1511-a153-4005-9d5f-ab2482e838ae

92 / 92