Visit here for our full Palo Alto Networks NGFW-Engineer exam dumps and practice test questions.
Question 81:
An administrator is configuring a Panorama-managed VM-Series firewall in a public cloud environment. This firewall must share a common base network configuration (interfaces, zones, virtual router) with 50 other VM-Series firewalls in the same cloud region, but it requires a unique IP address for its external-facing interface. What is the most efficient and scalable Panorama feature designed to accommodate this requirement?
A) Configure 50 different Templates, one for each firewall, and manually enter the unique IP address in each.
B) Use a single Template Stack containing one Template, and use a Template Variable to represent the unique interface IP address.
C) Use a single Template Stack and connect to each firewall individually via the CLI to override the IP address.
D) Configure the base network settings in a Device Group and use an Address Object with the type “IP Wildcard Mask” for the unique IP.
Correct Answer: B
Explanation:
The correct answer is B. This solution leverages Template Variables, which is the specific Panorama feature designed for this exact use case: managing common configurations that have small, per-device unique values.
Why B (Use a single Template Stack containing one Template, and use a Template Variable to represent the unique interface IP address.) is Correct: Panorama separates device/network configuration (Templates) from policy/object configuration (Device Groups). The requirement here is for network configuration. A Template holds the configuration for settings under the ‘Network’ and ‘Device’ tabs. A Template Stack is a collection of Templates that are “stacked” together and applied to a firewall, allowing for layered and reusable configurations. The most critical feature in this scenario is the Template Variable. An administrator can define a common configuration in a Template, but instead of “hard-coding” a value like an IP address, they can insert a variable (e.g., $external_ip). This Template is then added to a Template Stack. When this Template Stack is assigned to the 50 firewalls, Panorama (or the administrator) can provide a unique value for the $external_ip variable for each individual firewall. This achieves the “golden” configuration (the common settings) while allowing for per-device customization (the unique IP). This is the epitome of scalable and efficient management. The 50 firewalls share the identical base configuration, but their individual variable overrides allow them to have unique identities on the network.
Why A (Configure 50 different Templates, one for each firewall, and manually enter the unique IP address in each.) is Incorrect: This option is functionally possible but operationally disastrous and directly contradicts the goal of efficient and scalable management. If the administrator needed to make a single change to the common configuration (e.g., add a new zone), they would have to repeat that change 50 times, once in each Template. This creates an enormous amount of administrative overhead and a high probability of human error, leading to configuration drift and security inconsistencies. The entire purpose of Panorama is to avoid this exact “configuration-by-copy-and-paste” method.
Why C (Use a single Template Stack and connect to each firewall individually via the CLI to override the IP address.) is Incorrect: This approach would not work and defeats the purpose of centralized management. Any local changes made via the CLI on a Panorama-managed firewall will be overwritten the next time a “commit and push” is performed from Panorama. Panorama’s configuration is authoritative. While it is possible to set a configuration as “locally-managed” on the firewall, this breaks the centralized model and creates a management nightmare. The administrator would be fighting against Panorama’s core logic. The correct way to apply a per-device “override” is to use the built-in variable system (Option B), which is tracked, managed, and pushed from the Panorama GUI.
Why D (Configure the base network settings in a Device Group and use an Address Object with the type “IP Wildcard Mask” for the unique IP.) is Incorrect: This option is fundamentally incorrect due to the confusion between Panorama’s core components. Device Groups are used to manage Policies (like Security and NAT) and Objects (like Address and Service objects). Device Groups cannot be used to configure base network settings like interfaces, zones, or virtual routers. Those settings are exclusively managed by Templates. Therefore, the premise of configuring network settings in a Device Group is flawed. Furthermore, an “IP Wildcard Mask” is an object type used in policies to match a range of addresses; it has no function in assigning a specific IP address to an interface.
Question 82:
A network engineer is configuring an Active/Active HA cluster and is concerned about asymmetric routing. The environment has a complex OSPF and BGP routing design, making it highly probable that a session’s return packet will arrive at the peer firewall. Which HA feature combination is specifically designed to handle this asymmetric flow and prevent the return packet from being dropped?
A) HA1 Heartbeat Polling and HA2 Session Synchronization
B) Path Monitoring and Link Monitoring
C) Session Synchronization (over HA2) and Packet Forwarding (over HA3)
D) HA1 Heartbeat Backup and LACP/LLDP
Correct Answer: C
Explanation:
The correct answer is C. This combination is the explicit solution for asymmetric packet flows in an Active/Active HA cluster. Session Synchronization provides the necessary state, and Packet Forwarding provides the forwarding mechanism to the session owner.
Why C (Session Synchronization (over HA2) and Packet Forwarding (over HA3)) is Correct: This scenario describes the classic challenge of Active/Active deployments. Here is the breakdown of the problem and the solution:
The Problem: A client sends a SYN packet to a server. It ingresses Firewall-A. Firewall-A becomes the “session owner,” creates a session table entry, and forwards the packet. Due to asymmetric routing, the server’s SYN-ACK reply ingresses Firewall-B. Firewall-B, being a stateful device, drops the packet because it has no corresponding session in its table.
The Solution (Part 1): Session Synchronization (over HA2). The Active/Active firewalls constantly synchronize their session tables over the HA2 link. When Firewall-A creates the session, it replicates it to Firewall-B. Now, when the SYN-ACK arrives at Firewall-B, it does find a matching session.
The Solution (Part 2): Packet Forwarding (over HA3). Even though Firewall-B knows about the session, it is not the “session owner.” All advanced processing (App-ID, Content-ID, decryption) must happen on the session owner (Firewall-A) to maintain integrity. Instead of processing the packet, Firewall-B forwards the packet over the dedicated HA3 link to Firewall-A. Firewall-A (the session owner) receives the packet on its HA3 interface, processes it through its Content-ID engine, and then forwards it out the correct data interface to the client. This ensures stateful inspection is maintained even when the return path is asymmetric.
Why A (HA1 Heartbeat Polling and HA2 Session Synchronization) is Incorrect: This is partially correct but incomplete. Session Synchronization (HA2) is needed, but HA1 Heartbeat Polling is not the solution to the asymmetry problem. The HA1 link is the control plane link, used for exchanging hellos (heartbeats), synchronizing configuration, and managing failover. It does not participate in forwarding data plane packets from asymmetric flows. Without the HA3 link (Option C), the session would still fail because Firewall-B would not know how to get the packet to Firewall-A for processing.
Why B (Path Monitoring and Link Monitoring) is Incorrect: These are failover triggers. Link Monitoring watches the physical state (up/down) of an interface. Path Monitoring sends pings to remote IPs to test the entire logical path. These features are used to detect a failure and trigger a failover (e.g., Active-to-Passive). They have no role in handling active session traffic in a normally functioning Active/Active cluster that is experiencing asymmetry.
Why D (HA1 Heartbeat Backup and LACP/LLDP) is Incorrect: This option lists unrelated redundancy features. HA1 Heartbeat Backup allows the HA1 control link to failover to another link (like the MGT port) to prevent a split-brain scenario. LACP (Link Aggregation) is a Layer 2 feature to bundle physical interfaces for bandwidth and link redundancy. LLDP is a discovery protocol. None of these components are involved in solving the Layer 3 data plane problem of asymmetric routing.
Question 83:
An organization has a new IPv6-only client subnet (2001:db8:1::/64) that must access a critical legacy application hosted on an IPv4-only server (192.0.2.10). An engineer has configured a NAT64 policy. However, the clients are still unable to connect. The engineer verifies the clients are using a standards-compliant DNS resolver. Which additional component is essential for this translation to function?
A) A DNS64 server to synthesize AAAA records from A records.
B) A Security policy rule allowing the ‘ipv6’ application.
C) A “no-decrypt” Decryption policy for the IPv6 subnet.
D) A Virtual Router static route pointing the IPv6 prefix to a “discard” next-hop.
Correct Answer: A
Explanation:
The correct answer is A. NAT64 only translates the packets; DNS64 is the required “translator” for the discovery process, allowing an IPv6-only client to discover the “address” of an IPv4-only server.
Why A (A DNS64 server to synthesize AAAA records from A records.) is Correct: This scenario highlights the symbiotic relationship between NAT64 and DNS64.
The Client’s Problem: An IPv6-only client (in 2001:db8:1::/64) has no IPv4 stack. It cannot understand, route to, or even look up an IPv4 address (like 192.0.2.10).
The Client’s Action: The client will send a DNS query for app.legacy.com, asking only for a AAAA record (the record type for IPv6 addresses).
The IPv4 Server’s DNS: The authoritative DNS server for app.legacy.com only has an A record (e.g., 192.0.2.10). It has no AAAA record.
The Solution: A DNS64 server sits between the client and the authoritative DNS server. The client sends its AAAA query to the DNS64 server. The DNS64 server performs the query and sees that only an A record (192.0.2.10) exists. The DNS64 server then synthesizes a fake AAAA record. It does this by taking a special IPv6 prefix (e.g., 64:ff9b::/96) and appending the IPv4 address to it, creating a new address like 64:ff9b::192.0.2.10 (or 64:ff9b::c000:020a).
Putting it Together: The client receives this fake AAAA record. The client, not knowing any better, sends its IPv6 packet to the destination 64:ff9b::c000:020a. This packet routes to the Palo Alto Networks firewall. The firewall’s NAT64 policy sees the special prefix, strips it off, translates the packet to IPv4, and forwards it to the real destination, 192.0.2.10. Without DNS64, the client would never get an address to send a packet to in the first place, and the NAT64 policy would never be used.
Why B (A Security policy rule allowing the ‘ipv6’ application.) is Incorrect: There is no application called ‘ipv6’. ‘ipv6’ is a protocol. A Security policy rule would need to be created from the IPv6-zone to the IPv4-zone, allowing the actual application (e.g., ssl or web-browsing). While such a rule is necessary, it is not the essential component missing for the initial name resolution to work. The problem described (clients “unable to connect”) starts with the failure to resolve the hostname.
Why C (A “no-decrypt” Decryption policy for the IPv6 subnet.) is Incorrect: Decryption policy is completely unrelated to the basic L3/L4 connectivity and L7 discovery (DNS) problem. Whether the traffic is decrypted or not has no bearing on the client’s ability to get an IP address for the server. This would only be a factor after connectivity is established.
Why D (A Virtual Router static route pointing the IPv6 prefix to a “discard” next-hop.) is Incorrect: This would actively break the connection. A “discard” next-hop is a null route, which causes the firewall to silently drop any packet matching that route. This is used to prevent routing loops but is the opposite of what is needed here. The virtual router needs a route for the IPv6-only client subnet (2001:db8:1::/64) pointing to its correct interface, and a route for the DNS64 prefix (64:ff9b::/96) pointing to itself (as a NAT64 translation target).
Question 84:
An organization wants to provide remote access to a specific internal web-based application (portal.internal.corp) for external contractors. These contractors use unmanaged, personal devices (BYOD). The security team has two main requirements: 1) The contractors must not be given full VPN access to the corporate network. 2) The contractors must not be required to install the GlobalProtect client. Which GlobalProtect feature should be configured to meet these specific requirements?
A) GlobalProtect Portal with “Connect Before Logon”
B) GlobalProtect Gateway with a “Split-Tunnel” configuration
C) GlobalProtect Portal with “Clientless VPN”
D) GlobalProtect Gateway with HIP (Host Information Profile) checks
Correct Answer: C
Explanation:
The correct answer is C. Clientless VPN is the specific GlobalProtect feature designed to provide browser-based, reverse-proxy access to web applications without requiring the full VPN client or granting network-level access.
Why C (GlobalProtect Portal with “Clientless VPN”) is Correct: This feature perfectly matches all requirements.
No Full VPN Access: Clientless VPN operates as a reverse proxy. The contractor authenticates to the GlobalProtect Portal’s web page. After authentication, the Portal presents them with a list of published applications (e.g., portal.internal.corp). When the user clicks this link, the firewall (acting as the Portal) fetches the web page content from the internal server on the user’s behalf, rewrites all the URLs in the HTML to point back to the Portal, and then sends the modified page to the user’s browser. The user’s device never makes a direct IP connection to the internal network. It only communicates with the public-facing Portal.
No Client Installation: The entire session occurs within the user’s standard web browser. There is no software to install, which is ideal for unmanaged BYOD devices. This solution provides granular, application-level access to specific web apps without the overhead or risk of a full-tunnel VPN, directly addressing the scenario.
Why A (GlobalProtect Portal with “Connect Before Logon”) is Incorrect: “Connect Before Logon” (CBL) is a feature of the full GlobalProtect client (agent). It is used on managed corporate devices to establish the VPN tunnel before the user logs into Windows. This allows the device to, for example, run login scripts or receive group policy updates from a domain controller. It is the exact opposite of the “no client” requirement.
Why B (GlobalProtect Gateway with a “Split-Tunnel” configuration) is Incorrect: This solution still requires the full GlobalProtect client (agent) to be installed. A “Split-Tunnel” configuration on the Gateway simply defines which traffic goes through the VPN tunnel (e.g., only traffic to internal subnets) and which traffic goes directly to the internet (e.g., web browsing). While this limits the traffic in the tunnel, it still grants the user’s device full IP-level network access to the tunneled subnets and, more importantly, it requires the client to be installed.
Why D (GlobalProtect Gateway with HIP (Host Information Profile) checks) is Incorrect: HIP checks are a feature used by the full GlobalProtect client (agent) to collect posture information from the endpoint (e.g., “Is antivirus running?”). The Gateway then uses this information to make policy decisions. This feature requires the full client and is typically used to enforce security on managed devices or quarantine unmanaged ones. It does not provide the “clientless” access the scenario demands.
Question 85:
A security administrator has configured a redistribution profile within a virtual router to share BGP-learned routes into an OSPF domain. The BGP routes for the prefix 10.100.0.0/16 are being learned successfully, but they are not appearing in the OSPF routing table on the adjacent router. The administrator has already verified OSPF adjacencies are ‘Full’ and the BGP RIB contains the route. Which of the following is a common reason for this specific failure?
A) The BGP routes are not being installed in the global “FIB” (Forwarding Information Base) because the next-hop is unreachable.
B) The Redistribution Profile is missing a ‘metric’ value, which is mandatory for OSPF redistribution.
C) The OSPF ‘Area’ configuration is “Stub,” which blocks redistributed external routes by default.
D) The ‘rdp’ application is not allowed in the Security policy, which blocks BGP and OSPF protocol traffic.
Correct Answer: B
Explanation:
The correct answer is B. When redistributing routes into OSPF, OSPF requires a “seed metric” and a “metric-type” to be defined for the external routes. If these are not specified in the redistribution profile, OSPF will not accept or advertise the routes.
Why B (The Redistribution Profile is missing a ‘metric’ value, which is mandatory for OSPF redistribution.) is Correct: Protocols like OSPF are metric-based. When a route is brought in “from the outside” (redistributed from another protocol like BGP or Static), OSPF has no way of knowing what “cost” to assign to it. The redistribution profile must define this starting “seed metric” (a cost value) and a “metric-type” (Type-1 or Type-2, which defines how the cost is calculated as it propagates through the OSPF domain). If the administrator’s redistribution profile on the Palo Alto Networks firewall only matches the BGP routes but fails to specify a metric, OSPF will not inject those routes into its Link-State Database (LSDB). The firewall will not advertise them, and the adjacent router will never receive them. This is a very common oversight in multi-protocol routing configurations.
Why A (The BGP routes are not being installed in the global “FIB” (Forwarding Information Base) because the next-hop is unreachable.) is Incorrect: This is a plausible-sounding but incorrect step in the logic. The prompt states the administrator “verified the BGP RIB contains the route.” The firewall can redistribute a route from its BGP RIB even if it’s not the “best” route in the global FIB (the main routing table). Route redistribution logic can pull from the protocol-specific RIB. While an unreachable next-hop is a BGP problem (often related to iBGP), the redistribution failure itself is more commonly tied to the missing OSPF parameters. Even if the route was in the FIB, redistribution would still fail without a defined metric.
Why C (The OSPF ‘Area’ configuration is “Stub,” which blocks redistributed external routes by default.) is Incorrect: This is a valid OSPF concept, but the configuration would be on the adjacent router, not necessarily the Palo Alto Networks firewall itself (which is acting as the ASBR – Autonomous System Boundary Router). A “Stub Area” or “Totally Stubby Area” does block external routes (Type 5 LSAs). However, the first place to check is the redistribution configuration on the firewall that is doing the redistribution. The missing metric (Option B) is a direct configuration error on the ASBR firewall, making it a more immediate and likely cause of the failure than the area type of the neighbor.
Why D (The ‘rdp’ application is not allowed in the Security policy, which blocks BGP and OSPF protocol traffic.) is Incorrect: This is a complete misapplication of concepts. First, BGP (TCP 179) and OSPF (IP Protocol 89) are not the ‘rdp’ (TCP 3389) application. Second, routing protocol traffic between routers on a trusted link is typically handled by the “intrazone-default” or “interzone-default” allow rules for the firewall’s virtual router, or by a specific rule allowing the ‘ospf’ and ‘bgp’ applications if the traffic is passing through the firewall (which is not what is happening here). This is peer-to-peer traffic with the firewall. Security policies do not (by default) interfere with the virtual router’s own protocol adjacencies.
Question 86:
A firewall is configured with an Anti-Spyware profile that has a “sinkhole” action for all ‘malware’ domain categories. A user’s workstation attempts a DNS query for a known malware C2 domain, ‘https://www.google.com/search?q=badsite.example.com’. The firewall’s DNS Security feature identifies this query as malicious. What is the precise sequence of events that will occur?
A) The firewall drops the DNS query, and the user’s workstation receives a ‘request-timed-out’ error.
B) The firewall forwards the original DNS query to the real DNS server, but blocks the malicious IP in the response.
C) The firewall discards the original query and sends a “forged” DNS response to the client, pointing the client to the ‘sinkhole’ IP address.
D) The firewall sends a TCP-RST packet to both the client and the DNS server to terminate the session.
Correct Answer: C
Explanation:
The correct answer is C. The “sinkhole” action is a specific, active redirection technique. The firewall intercepts the malicious DNS query and lies to the client, redirecting it to a controlled “black hole” address for investigation.
Why C (The firewall discards the original query and sends a “forged” DNS response to the client, pointing the client to the ‘sinkhole’ IP address.) is Correct: This is the exact definition of DNS sinkholing.
Intercept: The firewall inspects the user’s outbound DNS query (UDP/53).
Detect: The query for ‘https://www.google.com/search?q=badsite.example.com’ is matched against the DNS Security (or Anti-Spyware) profile’s list of malicious domains. The action is “sinkhole”.
Forge: The firewall does not forward the query. It immediately discards the user’s original packet.
Respond: The firewall generates a new, forged DNS response. This response looks like it came from the real DNS server. In this response, the ‘Answer’ (the A record) for ‘https://www.google.com/search?q=badsite.example.com’ is not the real, malicious IP. Instead, it is the IP address that the administrator configured as the “sinkhole” (e.g., an internal, non-routable IP, or a Palo Alto Networks-provided sinkhole IP).
Investigate: The client, unaware of the deception, receives this forged response. If the malware on the client machine then tries to connect (e.g., via HTTP) to ‘https://www.google.com/search?q=badsite.example.com’, it will actually send its packets to the sinkhole IP. This traffic will then hit the firewall, allowing the administrator to see it in the logs (often as a “sinkhole” event), thereby positively identifying the infected machine without it ever contacting the real C2 server.
Why A (The firewall drops the DNS query, and the user’s workstation receives a ‘request-timed-out’ error.) is Incorrect: This describes the “drop” or “block” action. While this does prevent the client from resolving the domain, it provides less investigative value. The malware might be programmed to simply try another domain. The “sinkhole” action (Option C) is superior because it tricks the malware into revealing itself, providing a high-confidence “infected” log event (the subsequent connection attempt) instead of just a “blocked DNS query” log.
Why B (The firewall forwards the original DNS query to the real DNS server, but blocks the malicious IP in the response.) is Incorrect: This is a different, less common method. The standard sinkhole action (Option C) blocks the query before it ever leaves the network. This is more efficient and prevents the external DNS server (or any upstream listeners) from even knowing the client tried to resolve the domain. Intercepting and modifying the response is a different inspection method.
Why D (The firewall sends a TCP-RST packet to both the client and the DNS server to terminate the session.) is Incorrect: This is the “reset-both” action. This action is invalid for this scenario because DNS queries are typically stateless UDP packets, not TCP sessions. There is no “session” to reset. This action is used for blocking TCP-based applications (like HTTP or SSL).
Question 87:
An administrator is configuring a GlobalProtect Gateway to enforce endpoint security. The policy must ensure that only corporate-issued laptops, which are all members of the corporate ‘Domain Computers’ Active Directory group, are allowed to connect. The administrator has already configured a HIP (Host Information Profile) to check for this. Which HIP Profile configuration would most accurately and securely enforce this requirement?
A) Category: OS, Criteria: “Contains ‘Windows 10 Enterprise'”
B) Category: Host Name, Criteria: “Contains ‘CORP-LTP'”
C) Category: Domain, Criteria: “Is ‘corp.local'”
D) Category: Management, Criteria: “Is-Installed ‘Yes’ ‘Jamf Pro'”
Correct Answer: C
Explanation:
The correct answer is C. Checking the “Domain” category is the most direct and reliable HIP check to verify that a device is a member of the corporate Active Directory domain.
Why C (Category: Domain, Criteria: “Is ‘corp.local'”) is Correct: The GlobalProtect client, when collecting HIP (Host Information Profile) data, queries the host operating system for a multitude of configuration details. One of these details is the “Domain” to which the machine is joined. This is a fundamental, high-confidence attribute of a corporate-managed Windows or macOS device. The requirement is to allow only corporate-issued laptops, which are defined as members of the ‘Domain Computers’ AD group. By setting the HIP Profile to check Category: Domain and Criteria: “Is ‘corp.local'” (or whatever the corporate domain name is), the firewall will only allow connections from devices that can prove they are joined to this specific domain. A personal, unmanaged BYOD device will fail this check because it will either be in a ‘WORKGROUP’ or joined to a different domain. This is the most accurate and secure option presented.
Why A (Category: OS, Criteria: “Contains ‘Windows 10 Enterprise'”) is Incorrect: This is a weak and easily-spoofed check. While corporate laptops might all run Windows 10 Enterprise, a contractor or a determined attacker could also be using a device with this OS. This check does not prove ownership or management status. It only proves the OS version. The requirement is to verify the device is corporate-issued, and the ‘Domain’ check (Option C) is a much stronger validation of this.
Why B (Category: Host Name, Criteria: “Contains ‘CORP-LTP'”) is Incorrect: This is also a weak check. It relies on a host naming convention. A user on a personal device could simply rename their computer to ‘CORP-LTP-123’ to bypass this check. The hostname is a user-configurable string and is not a secure attribute for authentication or authorization. The domain-join status (Option C) is a cryptographic, managed relationship and is far more secure.
Why D (Category: Management, Criteria: “Is-Installed ‘Yes’ ‘Jamf Pro'”) is Incorrect: This option is illogical for two reasons. First, Jamf Pro is a management tool for Apple macOS devices, not typically for Windows devices that would be members of an Active Directory ‘Domain Computers’ group (though co-management is possible, it’s not the primary tool). Second, this is an example of checking for a specific management application. While checking for the presence of a management agent (like SCCM, CrowdStrike, etc.) is a valid HIP check, the ‘Domain’ check (Option C) is more fundamental and directly matches the stated requirement (“members of the corporate ‘Domain Computers’ Active Directory group”).
Question 88:
A security engineer needs to write a single Security policy rule to allow employees to access ‘office-365’ and ‘g-suite’, but only if they are using the primary, non-deprecated versions of those applications. The engineer wants to ensure that legacy or risky sub-applications (like ‘office-365-legacy-auth’) are not allowed. Which component should the engineer use in the Security policy rule to achieve this?
A) An Application Filter set to Category ‘business-systems’ and Subcategory ‘collaboration’.
B) An Application Group containing the individual applications ‘office-365-base’ and ‘google-base’.
C) A Security policy rule with ‘office-365’ and ‘g-suite’ in the Application field, and a URL Filtering profile attached.
D) A Custom Application Signature created to match only the headers of the main applications.
Correct Answer: B
Explanation:
The correct answer is B. Palo Alto Networks provides “base” App-IDs (‘office-365-base’, ‘google-base’) that are “container” applications. These containers only include the modern, sanctioned, and supported sub-applications, and explicitly exclude legacy, risky, or deprecated ones.
Why B (An Application Group containing the individual applications ‘office-365-base’ and ‘google-base’.) is Correct: This is the explicit, best-practice solution from Palo Alto Networks for this exact scenario.
The Problem: SaaS suites like Office 365 and G-Suite are not single applications. They are collections of hundreds of micro-services and sub-applications (e.g., sharepoint-online, outlook-web-access, google-drive, google-sheets). Some of these are modern and secure, while others (like office-365-legacy-auth) use deprecated protocols that are a security risk.
The Solution: Instead of forcing administrators to manually pick and choose all 200+ “good” applications, Palo Alto Networks provides container App-IDs. office-365-base and google-base are two such App-IDs. When you use office-365-base in a rule, you are implicitly allowing only the set of sub-applications that Palo Alto Networks has vetted as “core” and “modern.” This container explicitly excludes things like legacy authentication. By creating an Application Group (which is just a folder for App-IDs) and adding ‘office-365-base’ and ‘google-base’ to it, the engineer can use this single Application Group in their Security rule to safely and efficiently allow the “good” parts of these SaaS suites.
Why A (An Application Filter set to Category ‘business-systems’ and Subcategory ‘collaboration’.) is Incorrect: An Application Filter is a dynamic object that “matches” all applications that meet certain criteria (e.g., Category, Risk, etc.). Using this filter would be too broad. It would match all applications in the ‘collaboration’ subcategory (e.g., Slack, Zoom, Box, etc.), not just O365 and G-Suite. Furthermore, it would include both the ‘office-365-base’ and the risky ‘office-365-legacy-auth’ applications, as they are both in the same category. This fails to meet the “do not allow legacy” requirement.
Why C (A Security policy rule with ‘office-365’ and ‘g-suite’ in the Application field, and a URL Filtering profile attached.) is Incorrect: This is incorrect because ‘office-365’ and ‘g-suite’ are not App-IDs. They are application categories. If you were to type ‘office-365’ in the application field, it would show you a list of all related App-IDs (office-365-base, office-365-legacy-auth, sharepoint-online, etc.). The administrator would have to select them manually. If they selected all of them, they would be allowing the risky apps. A URL Filtering profile controls access to websites, it does not control which sub-applications are allowed.
Why D (A Custom Application Signature created to match only the headers of the main applications.) is Incorrect: This is an unnecessarily complex, brittle, and unmaintainable solution. The administrator would be taking on the burden of “reverse-engineering” the O365 and G-Suite protocols, a task that is already professionally done by the Palo Alto Networks App-ID team. This custom signature would break with every weekly update from Microsoft or Google. The ‘base’ App-IDs (Option B) are the purpose-built, supported solution.
Question 89:
A SOAR (Security Orchestration, Automation, and Response) platform needs to programmatically query a Palo Alto Networks firewall to get the current threat verdict (e.g., ‘malware’, ‘benign’) for a file hash. The firewall is not managed by Panorama, and the SOAR platform is in a different network segment. Which firewall component must be configured to allow this external system to make this API request?
A) An ‘API-Key’ generated on the firewall and a Log Forwarding Profile.
B) A WildFire API key configured under the ‘Device’ tab and an ‘auth-key’ in the SOAR platform.
C) A ‘Service Route’ to force API traffic over the MGT interface and an ‘Administrator’ account with an API key.
D) An ‘Interface Management’ profile on the data plane interface, a ‘Service’ object for the API, and an ‘Administrator’ account with an API key.
Correct Answer: D
Explanation:
The correct answer is D. To access the firewall’s API on a data plane (non-MGT) interface, you must explicitly enable “HTTP(S)” in an Interface Management profile, apply it to the interface, and use an API key from a configured administrator.
Why D (An ‘Interface Management’ profile on the data plane interface, a ‘Service’ object for the API, and an ‘Administrator’ account with an API key.) is Correct: This answer correctly identifies the three essential components for this scenario:
Accessing the API: By default, the firewall’s management plane (which hosts the API) is only accessible via the dedicated MGT interface. The prompt states the SOAR platform is in a different network segment, implying it will access the firewall via a data plane (e.g., ‘Trust’ or ‘DMZ’) interface. To allow this, the administrator must create an Interface Management Profile, enable the ‘HTTPS’ (or ‘HTTP’) service, and attach this profile to the data plane interface that the SOAR platform will be connecting to.
The Administrator/Key: The SOAR platform cannot just ‘anonymously’ access the API. It must authenticate. This is done by creating an Administrator account (e.t., ‘soar_user’) on the firewall with a role that permits API access. The administrator then generates an API key for this account. The SOAR platform will include this key in its API calls.
The ‘Service’ object: This part is slightly misleading, as a “Service” object isn’t strictly required for the API itself, but a Security policy rule is. A rule must be created from the SOAR-zone to the Firewall-zone (local) to allow the ‘https’ traffic, which would use a service object for ‘service-https’. However, the core of the answer (Interface Management Profile and API Key) is the critical, specific configuration needed to enable this non-standard access. This combination allows an external, non-management entity to securely access the API on a data plane interface.
Why A (An ‘API-Key’ generated on the firewall and a Log Forwarding Profile.) is Incorrect: A Log Forwarding Profile is used to send logs out from the firewall to an external system (like a SIEM). It has no role in receiving incoming API requests from an external system. This confuses the push (logging) mechanism with the pull (API) mechanism.
Why B (A WildFire API key configured under the ‘Device’ tab and an ‘auth-key’ in the SOAR platform.) is Incorrect: This is a common point of confusion. The “WildFire API key” (under Device > Setup > WildFire) is used by the firewall to submit samples to the public WildFire cloud. It is not used by external systems to query the firewall’s own API. The firewall’s management API is a separate system authenticated by the administrator’s API key (Option D).
Why C (A ‘Service Route’ to force API traffic over the MGT interface and an ‘Administrator’ account with an API key.) is Incorrect: A Service Route is used to change the source interface the firewall uses for its own, outbound-initiated traffic (e.g., DNS, NTP, WildFire submissions). It has no effect on inbound traffic, such as an API request from the SOAR platform to the firewall. The Interface Management Profile (Option D) is the correct feature for controlling inbound management access.
Question 90:
A network administrator is troubleshooting an OSPF issue where a Palo Alto Networks firewall is not forming a “Full” adjacency with a new Cisco router. Both devices are on the same subnet (10.1.1.0/30) and can ping each other’s interface IP. The administrator sees the neighbor stuck in the ‘INIT’ state in show routing protocol ospf neighbor. What is the most common configuration mismatch that would cause this specific ‘INIT’ state?
A) The OSPF ‘Area ID’ is different on the two devices.
B) The ‘Hello’ and ‘Dead’ timers do not match.
C) The firewall’s Security policy is blocking the ‘ospf’ application.
D) The firewall is receiving OSPF ‘Hello’ packets from the router, but the router is not receiving the firewall’s ‘Hellos’.
Correct Answer: D
Explanation:
The correct answer is D. The OSPF ‘INIT’ state specifically means “I have received a Hello packet from you, but your Hello packet does not include my own Router ID, meaning you have not heard me yet.” This is the classic symptom of one-way communication.
Why D (The firewall is receiving OSPF ‘Hello’ packets from the router, but the router is not receiving the firewall’s ‘Hellos’.) is Correct: Let’s break down the OSPF states:
DOWN: No Hellos received.
INIT: The firewall (Firewall-A) has received a Hello packet from the router (Router-B). This Hello packet lists Router-B’s Router ID. Firewall-A now knows Router-B exists. However, when Firewall-A looks inside Router-B’s Hello packet, it does not see its own Router ID (Firewall-A) in the “Active Neighbors” list. This tells Firewall-A that “Router-B has not heard my Hellos yet.” This is the definition of the INIT state.
2-WAY: The firewall (Firewall-A) has received a Hello from Router-B, and inside that Hello, it does see its own Router ID. This means bidirectional communication is established. The problem described (stuck in ‘INIT’) is a textbook case of one-way communication. The firewall hears the router, but the router does not hear the firewall. This could be caused by an intermediate “dumb” switch blocking multicast, an access-list on the Cisco router’s inbound interface, or a misconfigured Security policy on the firewall if the firewall itself was not configured correctly (though Option C is a less likely explanation).
Why A (The OSPF ‘Area ID’ is different on the two devices.) is Incorrect: A mismatched Area ID would not allow the neighbor to get stuck in ‘INIT’. The Area ID is checked inside the Hello packet. If the Area IDs do not match, the firewall (or router) would reject the Hello packet entirely and the neighbor would not even be listed. It would remain in the ‘DOWN’ state.
Why B (The ‘Hello’ and ‘Dead’ timers do not match.) is Incorrect: This is a very common OSPF problem, but it causes the neighbor state to flap, or get stuck in ‘EXSTART’ or ‘DOWN’. It does not cause the neighbor to get stuck in ‘INIT’. The timers are also checked inside the Hello packet, and a mismatch would cause the Hello to be rejected, preventing the ‘INIT’ state from being established in the first place.
Why C (The firewall’s Security policy is blocking the ‘ospf’ application.) is Incorrect: This is a plausible but less precise answer than D. The firewall’s virtual router (VR) logic is generally “trusted” and its OSPF packets are not (by default) subject to Security policy. A Security policy would be needed if the OSPF-speaking interfaces were in different zones, which is a very unusual design. Even if a policy was blocking the ‘ospf’ application, it would likely be blocking it inbound or outbound, leading to the one-way communication described in D. Therefore, D is the more specific and accurate description of the symptom, while this option is a possible cause of that symptom. Given the ‘INIT’ state’s specific meaning, D is the better-defined answer.
Question 91:
An administrator wants to ensure that all traffic initiated from the ‘Trust’ zone and destined for the ‘Untrust’ zone has a Security profile (Antivirus, Anti-Spyware, Vulnerability) applied. However, they want to create an exception for traffic from the ‘Finance’ user group, whose traffic should be allowed without any threat inspection due to a legacy application’s sensitivity. What is the most secure and efficient way to configure this?
A) Create a single Security rule: Trust to Untrust, User: any, Application: any, Action: Allow, and attach all Security profiles.
B) Create two rules: * Rule 1 (Top): Trust to Untrust, User: Finance, Action: Allow, no profiles. * Rule 2 (Bottom): Trust to Untrust, User: any, Action: Allow, attach all Security profiles.
C) Create two rules: * Rule 1 (Top): Trust to Untrust, User: any, Action: Allow, attach all Security profiles. * Rule 2 (Bottom): Trust to Untrust, User: Finance, Action: Allow, no profiles.
D) Create a single rule: Trust to Untrust, User: any, Action: Allow. Then, create a “Threat Override” policy for the ‘Finance’ user group.
Correct Answer: B
Explanation:
The correct answer is B. This solution correctly uses the top-down, first-match logic of the Security policy to create a specific exception (Rule 1) before applying the general, more restrictive rule (Rule 2).
Why B (Create two rules: Rule 1 (Top): Trust to Untrust, User: Finance, Action: Allow, no profiles. Rule 2 (Bottom): Trust to Untrust, User: any, Action: Allow, attach all Security profiles.) is Correct: The Palo Alto Networks firewall evaluates Security policies from top to bottom. The first rule that a packet’s session matches is the only rule that is applied.
Rule 1 (The Exception): This rule is placed at the top. It is highly specific: it only matches traffic from the ‘Finance’ user group. For this traffic, the Action is ‘Allow’, and no Security profiles are attached. When a ‘Finance’ user initiates a session, it matches this first rule, and the session is allowed without inspection. The firewall stops processing any further rules for this session.
Rule 2 (The General Rule): This rule is placed below the exception. It is a “catch-all” for all other users (User: any). When any non-Finance user initiates a session, their traffic will not match Rule 1 (because the user is not ‘Finance’). The firewall will proceed to Rule 2. This rule will match. The Action is ‘Allow’, but this rule does have the Antivirus, Anti-Spyware, and Vulnerability profiles attached. This traffic will be allowed and inspected. This “exception-first, general-last” model is the fundamental, best-practice way to build a Security policy.
Why A (Create a single Security rule: Trust to Untrust, User: any, Application: any, Action: Allow, and attach all Security profiles.) is Incorrect: This configuration would apply threat inspection to all users, including the ‘Finance’ group. It fails to create the required exception.
Why C (Create two rules: Rule 1 (Top): Trust to Untrust, User: any, Action: Allow, attach all Security profiles. Rule 2 (Bottom): Trust to Untrust, User: Finance, Action: Allow, no profiles.) is Incorrect: This is the most common configuration error. Because of the top-down, first-match logic, all traffic (from ‘Finance’ and all other users) would match Rule 1 first. Rule 1 would apply threat inspection to everyone. The more specific ‘Finance’ rule (Rule 2) would be “shadowed” and would never be hit. The order of the rules is critical.
Why D (Create a single rule… Then, create a “Threat Override” policy…) is Incorrect: “Threat Override” is not a standard feature name for this purpose. While there are mechanisms like “Application Override” (to change App-ID) and “Decryption Policy” (to bypass decryption), there is no high-level “Threat Override” policy that selectively disables Security profiles based on user. The correct and simplest way to “override” the threat policy is by creating a separate, preceding Security policy rule, as described in Option B.
Question 92:
An administrator is configuring a new Palo Alto Networks firewall and wants to implement BGP. The firewall’s BGP configuration includes a ‘Redistribution Profile’ to advertise its static routes to its BGP peers. The static routes are correctly installed in the firewall’s RIB. However, the BGP peers are not receiving these routes. The administrator has already verified BGP peering is ‘Established’. Which of the following is the most likely cause for this failure?
A) The ‘Install Route’ checkbox is not enabled in the BGP General settings.
B) The ‘Redistribution Profile’ is not attached to the BGP ‘Export’ rule.
C) A “Filter” must be applied to the ‘Redistribution Profile’ to select the static routes.
D) The ‘Graceful Restart’ capability is not enabled on the BGP peers.
Correct Answer: B
Explanation:
The correct answer is B. In the PAN-OS BGP configuration, creating a ‘Redistribution Profile’ only defines what to redistribute. The administrator must then create an ‘Export’ rule to define when and to whom to apply that profile.
Why B (The ‘Redistribution Profile’ is not attached to the BGP ‘Export’ rule.) is Correct: The BGP configuration in PAN-OS is a multi-step process that offers granular control.
Redistribution Profile: The administrator first creates a ‘Redistribution Profile’ (e.g., static-to-bgp). Inside this profile, they select “static” as the source type and can add filters (like route-maps) to select which static routes to redistribute. This profile is just a “definition” or a “template” of routes.
BGP Peer Group: The administrator configures the BGP peers, typically within a Peer Group.
Export Rule (The Missing Step): By default, BGP only advertises routes it learned from other BGP peers. It does not automatically advertise redistributed routes. To do this, the administrator must go to the Peer Group > Export tab and create an ‘Export Rule’. This rule (which is like a route-map) tells the firewall: “For this Peer Group, use the ‘Redistribution Profile’ named static-to-bgp to export routes.” Without this final step of “activating” the profile with an Export rule, the firewall will successfully learn the static routes but will never advertise them to its peers. This is the most common reason for redistribution failure when BGP peering itself is already established.
Why A (The ‘Install Route’ checkbox is not enabled in the BGP General settings.) is Incorrect: The ‘Install Route’ checkbox serves the opposite function. It controls whether BGP-learned routes are “installed” into the firewall’s main routing table (the FIB). This setting affects inbound route processing. The problem described is with outbound route advertisement (exporting), which is not affected by this checkbox.
Why C (A “Filter” must be applied to the ‘Redistribution Profile’ to select the static routes.) is Incorrect: This is not strictly true. While applying a filter (like an IP prefix list) is a best practice to control which static routes are redistributed, it is not mandatory. If no filter is applied, the profile will default to “redistribute all static routes.” If the goal is to redistribute all static routes, no filter is needed. The lack of a filter would not cause no routes to be advertised; it would cause all of them to be. The root cause is that the profile itself is not being used (Option B).
Why D (The ‘Graceful Restart’ capability is not enabled on the BGP peers.) is Incorrect: ‘Graceful Restart’ is an advanced BGP feature that allows a router to restart its BGP process without causing its peers to drop their routes (preventing a “route flap”). This is a high-availability feature. It has absolutely no bearing on the initial redistribution of routes. BGP works perfectly fine, and redistribution will occur, regardless of whether Graceful Restart is enabled or not.
Question 93:
An administrator is deploying a large-scale GlobalProtect environment. They need to ensure that when a remote user authenticates, the user’s endpoint receives a unique, static IP address from a specific IP pool every single time they connect. This is required for an old legacy application that uses an IP-based allow list. Which GlobalProtect Gateway IP pool allocation method should be used?
A) Round-Robin
B) Reserved
C) First-Available
D) User-Static
Correct Answer: B
Explanation:
The correct answer is B. While the options are slightly simplified, the ‘Reserved’ concept is the core mechanism used in GlobalProtect IP pool configuration to assign a static, persistent IP address to a specific username.
Why B (Reserved) is Correct: When configuring an IP Pool for a GlobalProtect Gateway (Network > GlobalProtect > Gateways > [gateway] > Agent > Client Settings > [config] > IP Pools), the administrator defines a pool of addresses. To meet the “static IP per user” requirement, the administrator does not use a dynamic allocation method. Instead, they would use the ‘Reserved’ functionality within the IP Pool. This allows the administrator to create a static mapping list. This list is a table where you add an entry for ‘Username’ (e.g., ‘legacy_user’) and map it to a specific ‘IP Address’ (e.g., ‘192.168.100.50’). When ‘legacy_user’ successfully authenticates to the gateway, the gateway will always assign them ‘192.168.100.50’. This IP is reserved for them and will not be given to any other user. This is the correct method to support IP-based allow lists for legacy applications.
Why A (Round-Robin) is Incorrect: ‘Round-Robin’ is a dynamic allocation method. It distributes IP addresses sequentially from the pool to connecting users to ensure an even load. The IP a user gets today will almost certainly be different from the one they get tomorrow. This is the opposite of the “static” requirement.
Why C (First-Available) is Incorrect: ‘First-Available’ (or sequential) is another dynamic allocation method. It scans the IP pool from the beginning and assigns the first IP address it finds that is not currently in use. This might result in a user getting the same IP if they are the only user, but in a large environment, the IP will be different almost every time. This is not a “static” or “persistent” assignment.
Why D (User-Static) is Incorrect: ‘User-Static’ is not a valid IP pool allocation method name within the PAN-OS configuration. It describes the goal (a static IP per user), but it is not the name of the feature or setting. The ‘Reserved’ list (Option B) is the feature used to achieve this goal.
Question 94:
An administrator is configuring a ‘File Blocking’ profile to prevent users from downloading executable files, but they must allow executable files to be downloaded only from the trusted corporate ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’ server. The File Blocking profile is set to ‘block’ the ‘exe’ file type. What is the most effective way to create this exception?
A) Create a separate Security rule above the main rule, with ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’ in the ‘Destination’ field, and no File Blocking profile attached.
B) Create a Custom URL Category for ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’ and set its action to ‘allow’ inside the File Blocking
C) Create a Decryption profile with a ‘no-decrypt’ action for ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’.
D) Create an Application Override policy for ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’ to change the application to ‘corporate-updates’.
Correct Answer: B
Explanation:
The correct answer is B. This is a common “what is the exception” question. The File Blocking profile itself has a built-in “exception” list where you can add URL Categories and set a different action (like ‘allow’) for them, which overrides the general ‘block’ action for that file type.
Why B (Create a Custom URL Category for ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’ and set its action to ‘allow’ inside the File Blocking profile.) is Correct: This is the most precise and secure method. The File Blocking profile (Objects > Security Profiles > File Blocking) allows you to define actions (e.g., ‘block’, ‘alert’) for various file types. A little-known but powerful feature of this profile is the “File Type Exceptions” (or similar) section at the bottom. This section allows you to add a list of Custom URL Categories. The administrator would:
Create a Custom URL Category (e.g., ‘Trusted-Update-Sites’) and add updates.corp.com to it.
In the File Blocking profile, add this ‘Trusted-Update-Sites’ category to the exception list.
Set the action for ‘exe’ files for this category to ‘allow’ (or ‘alert’). This means the same Security rule and same File Blocking profile are used. When a user goes to google.com and tries to download an ‘exe’, the file type is ‘exe’ and the URL category is not ‘Trusted-Update-Sites’, so the ‘block’ action is applied. When a user goes to updates.corp.com and downloads an ‘exe’, the file type is ‘exe’ and the URL category is ‘Trusted-Update-Sites’, so the ‘allow’ exception is applied.
Why A (Create a separate Security rule above the main rule, with ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’ in the ‘Destination’ field, and no File Blocking profile attached.) is Incorrect: This is a very common wrong way to do this. While it will work and will allow the executables, it is a significant security risk. By creating a separate rule with no File Blocking profile, you are also bypassing all other Security profiles for that traffic (e.g., Antivirus, Anti-Spyware, Vulnerability Protection). This “punches a hole” in the security policy. The requirement is to only bypass the ‘exe’ block, not to bypass all threat inspection for that site. Option B keeps the traffic inside the main, secure rule.
Why C (Create a Decryption profile with a ‘no-decrypt’ action for ‘https://www.google.com/url?sa=E&source=gmail&q=updates.corp.com’.) is Incorrect: If the site is HTTPS, this would cause the File Blocking to be bypassed, as the firewall cannot see the file if it is not decrypted. However, this is a “side-effect,” not the correct way to configure the exception. It assumes the site is HTTPS. If the site is HTTP, this will do nothing. Furthermore, this is a poor security practice, as you are now “flying blind” and cannot perform any threat inspection (AV, AS) on the downloaded files, which is a risk even from a “trusted” server.
Why D (Create an Application Override policy…) is Incorrect: An Application Override is used to force the firewall to identify traffic as a different application. This is used when App-ID is failing (e.g., identifying a custom app as ‘unknown-tcp’). This has absolutely nothing to do with file types inside an allowed application (like ‘web-browsing’ or ‘ssl’). This feature solves a different problem.
Question 95:
A firewall is configured with two zones: ‘Trust’ and ‘DMZ’. A web server in the ‘DMZ’ (10.1.1.10) needs to initiate connections to a database server in the ‘Trust’ zone (10.2.2.20) on port 1433. The administrator has configured the following Security policy rule:
Rule Name: Allow-SQL
Source Zone: DMZ
Destination Zone: Trust
Application: ms-sql-db
Service: application-default
Action: Allow
However, the connection is failing. The traffic logs show the packets are being denied by the ‘intrazone-default’ rule. What is the most logical explanation for this?
A) The web server (10.1.1.10) and database (10.2.2.20) are in the same zone.
B) The ‘intrazone-default’ rule’s action is ‘deny’.
C) The web server is initiating the connection on a non-standard port, and App-ID identifies it as ‘unknown-tcp’.
D) The ‘ms-sql-db’ application is dependent on the ‘ssl’ application, which is not in the rule.
Correct Answer: B
Explanation:
The correct answer is A. The log message is the key piece of evidence. The log states the traffic was denied by the ‘intrazone-default’ rule. This proves that the firewall determined the packet’s source zone and destination zone were the same. The administrator’s ‘Allow-SQL’ rule, which was for ‘DMZ’ to ‘Trust’ (an interzone rule), was never evaluated because the traffic was not interzone.
Why A (The web server (10.1.1.10) and database (10.2.2.20) are in the same zone.) is Correct: This is the root cause of the entire problem. The administrator’s assumption (that the database is in the ‘Trust’ zone) is incorrect, according to the firewall’s routing and zone lookup. Here is the flow of logic:
Packet from 10.1.1.10 arrives on the ‘DMZ’ interface (ingress zone = DMZ).
Firewall does a route lookup for the destination 10.2.2.20.
The route lookup determines that 10.2.2.20 is also reachable via an interface in the ‘DMZ’ zone (e.g., the same interface).
Therefore, the firewall classifies the session as intrazone (DMZ-to-DMZ).
The firewall evaluates the policy rules. It skips the ‘Allow-SQL’ rule because that rule is for Source Zone: DMZ, Destination Zone: Trust, and this packet is Source Zone: DMZ, Destination Zone: DMZ.
The packet falls through all ‘DMZ-to-DMZ’ rules and hits the final rule, intrazone-default.
The ‘intrazone-default’ rule’s action is ‘deny’ (as described in Option B), so the packet is dropped and logged. The administrator’s rule is failing because their zones are wrong. The database server is in the ‘DMZ’ with the web server, not in ‘Trust’.
Why B (The ‘intrazone-default’ rule’s action is ‘deny’.) is Incorrect: This statement is true. The action is ‘deny’. However, this is the action of the rule, not the explanation for the failure. It does not explain why the ‘Allow-SQL’ rule was skipped. The reason the ‘Allow-SQL’ rule was skipped is that the traffic was ‘intrazone’, as explained in Option A. Option A is the root cause, while Option B is just a factual statement about the default configuration.
Why C (The web server is initiating the connection on a non-standard port, and App-ID identifies it as ‘unknown-tcp’.) is Incorrect: This would be a different log message. If this were the case, the traffic would match the ‘Allow-SQL’ rule (assuming the Service was ‘any’ or the non-standard port was included). But since the application is ‘unknown-tcp’, it would not match the ‘ms-sql-db’ application. The traffic would then fall to the next rule, which would likely be the ‘interzone-default’ (deny). The log message would be ‘interzone-default’ deny, not ‘intrazone-default’.
Why D (The ‘ms-sql-db’ application is dependent on the ‘ssl’ application, which is not in the rule.) is Incorrect: This is a common App-ID issue, but it would manifest differently. The ms-sql-db traffic would be allowed, but then a new session for ‘ssl’ would be seen, and that session would be blocked. The log would show the ‘ssl’ application being denied. The log would not show ‘intrazone-default’ denying the initial connection.
Question 96:
A network administrator needs to create a Security policy rule that dynamically allows access to newly-created, well-known SaaS applications in the ‘Collaboration’ category, without having to manually update the rule every time a new application is released. However, the rule must not include ‘high-risk’ or ‘evasive’ applications. Which object should be used in the ‘Application’ field of the Security rule?
A) An Application Group containing all known collaboration apps.
B) A Custom Application Signature matching ‘collaboration’.
C) An Application Filter with Category: collaboration, Risk: low, Risk: medium.
D) A Security policy rule with ‘collaboration-base’ in the application field.
Correct Answer: C
Explanation:
The correct answer is C. An Application Filter is the only object that is dynamic. It is not a static list of applications, but a “saved query” that is re-evaluated by the firewall every time new App-ID content updates are downloaded.
Why C (An Application Filter with Category: collaboration, Risk: low, Risk: medium.) is Correct: This is the precise use case for an Application Filter.
Dynamic: The administrator creates an Application Filter object (Objects > Application Filters). Inside this filter, they define the properties of the applications they want to allow. They do not select applications by name.
The Query: The filter would be Category = ‘collaboration’ AND Subcategory = ‘collaboration’ AND Risk = ‘low’ AND Risk = ‘medium’. This filter excludes Risk: ‘high’ (and ‘critical’).
The Rule: The administrator then uses this filter object (e.g., ‘low-risk-collaboration’) in the ‘Application’ field of the Security rule.
The Update: Next week, Palo Alto Networks releases a content update with a new App-ID for ‘new-collab-app’, which it categorizes as ‘collaboration’ and ‘Risk: medium’. The firewall downloads this update, re-evaluates the ‘low-risk-collaboration’ filter, and automatically adds ‘new-collab-app’ to the list of applications allowed by that rule, with no manual intervention required. This meets the “dynamically allows” requirement.
Why A (An Application Group containing all known collaboration apps.) is Incorrect: An Application Group is a static object. The administrator would have to manually create a list of all current collaboration apps. When ‘new-collab-app’ is released next week, the administrator would have to manually edit this Application Group and add the new app. This fails the “without having to manually update” requirement.
Why B (A Custom Application Signature matching ‘collaboration’.) is Incorrect: A Custom Application is used to create an App-ID for an application that Palo Alto Networks does not know about (e.g., an in-house app). It cannot be used to “match” a category like ‘collaboration’. This is the wrong tool for the job.
Why D (A Security policy rule with ‘collaboration-base’ in the application field.) is Incorrect: ‘collaboration-base’ is not a real, standard App-ID provided by Palo Alto Networks. There are “base” App-IDs for specific suites (like office-365-base or google-base), but not for an entire category. This object does not exist.
Question 97:
An organization has a “golden” Panorama Template Stack used for all branch firewalls. This Template Stack contains a Template named “Global-Settings” which defines the corporate DNS and NTP servers. A new branch office in a different country needs to use all the “Global-Settings” except for the DNS servers; it must use a local, country-specific DNS server. What is the correct “override” procedure?
A) The administrator must ‘clone’ the “Global-Settings” Template, modify the DNS server, and create a new Template Stack for this branch.
B) The administrator can select the Template Stack on the branch firewall and, on the firewall’s local CLI, enter set deviceconfig system dns-setting <ip>.
C) The administrator can select the branch firewall object in Panorama, go to the ‘Template’ tab, select the “Global-Settings” Template, and ‘Override’ the DNS server value.
D) The administrator can use a Template Variable for the DNS server in the “Global-Settings” Template.
Correct Answer: D
Explanation:
The correct answer is D. This is the most scalable and correct way to handle per-device exceptions to a global template. The administrator should design the template to allow this flexibility from the beginning.
Why D (The administrator can use a Template Variable for the DNS server in the “Global-Settings” Template.) is Correct: This is the modern, best-practice, and most scalable method.
Design for Flexibility: The administrator, when creating the “Global-Settings” Template, should not “hard-code” the DNS server IP (e.g., ‘8.8.8.8’). Instead, they should insert a Template Variable (e.g., $dns_server_primary).
Set the Default: This variable can be given a default value (e.g., ‘8.8.8.8’) at the Template or Template Stack level. For 99% of firewalls, this default value is inherited and used.
The Exception: For the new branch firewall, the administrator goes to the device’s object in Panorama (Panorama > Managed Devices > [firewall] > Variables). Here, they can provide a specific value for the $dns_server_primary variable (e.g., ‘1.2.3.4’) that applies only to this firewall.
The Result: All firewalls share one “Global-Settings” Template. 99 firewalls use the default value. 1 firewall uses its specific, overridden value. The configuration remains clean, scalable, and easy to manage.
Why A (The administrator must ‘clone’ the “Global-Settings” Template, modify the DNS server, and create a new Template Stack for this branch.) is Incorrect: This is the “old” way of doing things and leads to “template-sprawl.” Now the administrator has two templates to manage. If they need to change the NTP server (which is common to both), they have to make the change in two places (“Global-Settings” and “Global-Settings-New-Branch”). This doubles the work and increases the chance of error. Option D (Variables) avoids this completely.
Why B (The administrator can select the Template Stack on the branch firewall and, on the firewall’s local CLI, enter set deviceconfig system dns-setting <ip>. ) is Incorrect: This is fundamentally wrong. Any configuration change made locally on a Panorama-managed firewall will be wiped out and overwritten during the next successful “commit and push” from Panorama. Panorama is the single source of truth and will enforce its configured template.
Why C (The administrator can select the branch firewall object in Panorama, go to the ‘Template’ tab, select the “Global-Settings” Template, and ‘Override’ the DNS server value.) is Incorrect: This option sounds correct, but it is describing the “override” functionality that was replaced by the more flexible Template Variables (Option D). In modern PAN-OS, you cannot just right-click and “override” a single setting from a template. The entire object (the ‘system’ settings) is a single block. You would have to override the entire ‘system’ configuration, which is clumsy. The intended way to override a single value within a shared configuration block is with a Variable. Therefore, D is the more correct, modern answer.
Question 98:
A security administrator is reviewing traffic logs and finds an entry for application: unknown-udp. The traffic is on destination port 500. The administrator knows this is legitimate traffic from a custom, in-house application that uses this port. The administrator wants to correctly identify this traffic as ‘Internal-App’ and apply a specific Security profile to it without affecting any other ‘unknown’ traffic. What is the correct sequence of actions?
A) Create a Custom Application with a signature. Create a Security rule for ‘Internal-App’ with the Security profile.
B) Create an Application Override policy: Source/Dest/Port: 500, Application: Internal-App. Create a Security rule: Application: Internal-App, Action: Allow, and attach the Security profile.
C) Create a Security rule: Application: unknown-udp, Service: 500, Action: Allow, and attach the Security profile.
D) Create a custom ‘unknown-udp’ service object for port 500 and use it in a Security rule with Application: any.
Correct Answer: B
Explanation:
The correct answer is B. This is the exact use case for Application Override. The goal is to re-classify known traffic that App-ID cannot identify, so that it can be handled by a proper App-ID-based Security rule.
Why B (Create an Application Override policy… Create a Security rule…) is Correct: This is the precise, two-step “best practice” solution.
Step 1: Application Override Policy: The administrator first creates an Application Override policy (Policies > Application Override). This policy is a simple rule that says: “For any traffic that matches Source Zone, Destination Zone, Destination Port 500, and Protocol UDP… stop trying to use App-ID. Instead, force this traffic to be identified with the application ‘Internal-App’.” (The admin can just type in ‘Internal-App’ and it becomes a custom application).
Step 2: Security Policy: Now that the firewall will identify this traffic as ‘Internal-App’, the administrator can create a normal, App-ID-based Security policy rule. This rule will be: Source Zone: X, Destination Zone: Y, Application: Internal-App, Service: 500 (or ‘application-default’), Action: Allow, and attach the desired Security Profile. This approach is secure and specific. It only affects traffic on port 500, correctly re-labels it, and then subjects that specific traffic to threat inspection, without opening a hole for all ‘unknown-udp’ traffic.
Why A (Create a Custom Application with a signature.) is Incorrect: This is overkill and often not possible. Creating a custom signature (Objects > Custom Objects > Application) requires the administrator to know the unique, repeating patterns or headers inside the application’s payload. For a simple UDP app, there may be no reliable signature. An Application Override (Option B) is a “signature-less” re-classification and is much simpler and more reliable for “trusted” internal traffic.
Why C (Create a Security rule: Application: unknown-udp, Service: 500, Action: Allow, and attach the Security profile.) is Incorrect: This is a very bad security practice. This rule would allow any traffic on port 500 that App-ID cannot identify. A malicious actor could tunnel a C2 channel over UDP/500, App-ID would call it ‘unknown-udp’, and this rule would allow it. The goal is to re-classify the known-good traffic, not to allow all unknown traffic on that port.
Why D (Create a custom ‘unknown-udp’ service object… and use it in a Security rule with Application: any.) is Incorrect: This is even worse than Option C. This creates a “port-based” rule. It says “allow any application at all as long as it is on UDP port 500.” This is a legacy, stateful-firewall rule that completely bypasses the ‘Next-Generation’ App-ID engine. This would allow ‘bittorrent’, ‘ssh’, or anything over this port.
Question 99:
An administrator needs to deploy a VM-Series firewall in a public cloud. The deployment must be “zero-touch,” meaning the firewall, upon its first-ever boot, must automatically pull a specific PAN-OS software version, retrieve its license, and connect to its designated Panorama instance without any manual administrator login. Which VM-Series feature is required to achieve this?
A) GlobalProtect Clientless VPN
B) Bootstrapping
C) API Polling
D) High Availability (HA) Clustering
Correct Answer: B
Explanation:
The correct answer is B. “Bootstrapping” is the formal name for the “zero-touch-provisioning” (ZTP) process for VM-Series firewalls, allowing them to self-configure on initial boot.
Why B (Bootstrapping) is Correct: Bootstrapping is the process designed for this exact “day-zero” automation.
The Package: The administrator prepares a “bootstrap package” (a .zip file or a folder structure). This package contains, at a minimum, an init-cfg.txt file. This file contains the initial configuration commands, such as hostname, ip-address, default-gateway, and, most importantly, the panorama-server and auth-key (or license info).
The Storage: This package is placed in a cloud storage bucket (like AWS S3 or Azure Blob Storage) that the new VM instance has permission to read.
The “User Data”: When the VM-Series instance is launched, the administrator provides “user data” (a feature of all cloud platforms). This user data tells the VM’s operating system where to find the bootstrap package.
The Boot: The VM-Series boots for the first time. It sees the “user data,” contacts the storage bucket, downloads the package, and executes the init-cfg.txt. This gives it a basic network configuration, licenses it, and points it to Panorama.
The Hand-off: The firewall, now on the network and licensed, connects to Panorama. Panorama, recognizing the device, pushes the full configuration (policies, objects, etc.) from its assigned Template Stack and Device Group. This entire process is automated and requires zero manual login, achieving the “zero-touch” requirement.
Why A (GlobalProtect Clientless VPN) is Incorrect: GlobalProtect is a remote-access VPN solution for end-users. It has absolutely no role in the initial provisioning of the firewall itself.
Why C (API Polling) is Incorrect: This is backward. “API Polling” implies an external system (like Ansible) is pushing a configuration to the firewall’s API. This cannot happen on “day-zero” because the firewall has no IP address, no API key, and no enabled API service for the poller to connect to. Bootstrapping (Option B) is the “pull” mechanism the firewall uses to get its first IP, so that API-based tools can work later.
Why D (High Availability (HA) Clustering) is Incorrect: HA is a “day-one” or “day-two” feature for device redundancy. You can only configure HA after two firewalls are already booted, licensed, and have basic network configuration. It is not a “day-zero” provisioning method.
Question 100:
An administrator is configuring a ‘Vulnerability Protection’ profile with the default settings. A user’s traffic matches a signature with Severity: ‘critical’ and the Action: ‘default’. What specific action will the firewall take on this traffic, and why?
A) The traffic will be ‘allowed’ and an ‘alert’ will be generated, because ‘default’ means ‘alert’.
B) The traffic will be ‘dropped’, because the ‘default’ action for ‘critical’ severity is ‘reset-server’.
C) The traffic will be ‘dropped’, because the ‘default’ action for ‘critical’ severity is ‘drop’.
D) The traffic will be ‘blocked’ and the user will be presented with a block page, as ‘critical’ threats are always blocked.
Correct Answer: C
Explanation:
The correct answer is C. In a Vulnerability Protection profile, the ‘default’ action is not a single, static action. The ‘default’ action is context-aware and maps to a pre-defined action based on the severity of the threat. For ‘critical’, ‘high’, and ‘medium’ severities, the default action is ‘drop’.
Why C (The traffic will be ‘dropped’, because the ‘default’ action for ‘critical’ severity is ‘drop’.) is Correct: This is a critical detail of how Security Profiles work. When you create a new Vulnerability Protection profile, you will see a list of severities:
Critical
High
Medium
Low
Informational For each of these, you can set an action (‘alert’, ‘drop’, ‘reset-client’, ‘reset-server’, ‘reset-both’). The ‘default’ action (which is the pre-configured setting) is a “smart” setting defined by Palo Alto Networks’ security-best-practice. This “smart” default maps as follows:
Critical Severity: default = drop
High Severity: default = drop
Medium Severity: default = drop
Low Severity: default = alert
Informational Severity: default = alert Therefore, when a ‘critical’ severity signature is matched, and the action is set to ‘default’, the firewall resolves ‘default’ to ‘drop’. The firewall will silently drop the offending packets and any subsequent packets in that session.
Why A (The traffic will be ‘allowed’ and an ‘alert’ will be generated, because ‘default’ means ‘alert’.) is Incorrect: This is the most common-but-wrong assumption. This is true for ‘low’ and ‘informational’ severities, but it is not true for ‘critical’, ‘high’, or ‘medium’. The ‘default’ action is not ‘alert’ for severe threats.
Why B (The traffic will be ‘dropped’, because the ‘default’ action for ‘critical’ severity is ‘reset-server’.) is Incorrect: The default action for these severities is ‘drop’, not ‘reset-server’. ‘drop’ is a silent drop. ‘reset-server’ (or ‘reset-both’) is an active rejection where the firewall sends a TCP-RST packet to the server (or both sides). ‘drop’ is considered safer and more “stealthy,” as it does not give the attacker any feedback. ‘reset’ is a valid configurable option, but it is not the default action.
Why D (The traffic will be ‘blocked’ and the user will be presented with a block page…) is Incorrect: A “block page” is a feature of URL Filtering or File Blocking when blocking a user-initiated action (like a web request). Vulnerability Protection is an inline exploit prevention engine. It is not session-based; it is packet-based. When it detects a malicious packet (e.g., a buffer overflow attempt), it simply drops that packet. There is no “user” to present a “block page” to; the connection simply fails.
