Visit here for our full Palo Alto Networks NGFW-Engineer exam dumps and practice test questions.
Q121:
An engineer is configuring an active/passive HA pair. The firewalls are connected via a dedicated switch for the HA1 and HA2 links. The engineer wants to ensure that a failure of the switch connecting the HA links does not cause both firewalls to become active. How can this be achieved?
A) Configure a path monitoring group that pings the switch.
B) Configure link monitoring on the HA1 and HA2 ports.
C) Enable and configure the HA1 Backup link.
D) Enable Heartbeat Backup and use a data port for the backup link.
Answer: D
Explanation
The correct answer is Enable Heartbeat Backup and use a data port for the backup link. The HA1 and HA2 links are critical for synchronization and state. If the switch connecting them fails, both firewalls will stop receiving heartbeats. The passive firewall will believe the active firewall is down and will attempt to become active, leading to a “split-brain” scenario where both firewalls are active. To prevent this, you can configure a Heartbeat Backup link. This uses an in-band data port (like a management port or a regular data port) as an alternative path for the HA heartbeats. If the primary HA1 link goes down, the firewall checks this backup path. If heartbeats are still received over the backup link, the passive firewall understands that only the HA1 link is down (not the peer) and will remain passive, preventing split-brain.
Option a is incorrect. Path monitoring is used to monitor the upstream/downstream network paths to critical resources (like a server or upstream router) to trigger an HA failover. It does not monitor the HA links themselves. Option b is incorrect. Link monitoring is used to monitor the state of data-plane interfaces. While this can trigger a failover, it does not solve the problem of the HA links themselves failing and causing a split-brain. Option c is incorrect. The HA1 Backup link is a second HA1 port (HA1-A and HA1-B) for redundancy, but it is typically cabled to the same switch. If the switch fails, both the primary and backup HA1 links will fail. The Heartbeat Backup (using a data port) provides true out-of-band path diversity.
Q122:
A security administrator is configuring a new URL Filtering profile. The requirement is to block all “malware” and “phishing” category sites, provide a “continue” override page for “questionable” category sites, and generate an alert for “high-risk” category sites. All other categories should be alloweD) Which action list correctly configures this?
A)
malware: block
phishing: block
questionable: continue
high-risk: alert
(Default) any: allow
B)
malware: block
phishing: block
questionable: continue
high-risk: alert
(Default) any: block
C)
(Default) any: allow
malware: block
phishing: block
questionable: continue
high-risk: alert
D)
high-risk: alert
questionable: continue
malware: block
phishing: block
(Default) any: allow
Answer: A
Explanation
The correct configuration is provided in option A) Palo Alto Networks URL Filtering profiles are configured with a list of categories, and you define an action for each. The question explicitly states the required actions for four categories and that “All other categories should be alloweD)” This “allow” action for all other categories is represented by the default rule “any: allow”. When the firewall processes a URL, it finds its category and applies the most specific action defineD) If a URL’s category is not “malware,” “phishing,” “questionable,” or “high-risk,” it will be matched by the “any” rule and alloweD)
Option b is incorrect because the default “any: block” rule would block all categories not explicitly mentioned, which violates the requirement to allow all other categories. Option c is incorrect. While the rules are correct, Palo Alto Networks security profiles (like URL Filtering) are evaluated from top to bottom. Placing “any: allow” at the top would match all traffic, and the more specific block/continue/alert rules below it would never be evaluateD) Option d is also functionally correct because the default “any: allow” rule is at the bottom. The order of the specific categories (high-risk, questionable, malware) relative to each other does not matter, as a URL can only belong to one of these categories at a time. However, option a is the most logical and common way to represent this configuration, and it is functionally identical to D) Both a and d are technically correct policies, but a follows a more standard “block first, then warn, then alert” logiC) In an exam context, both achieve the same result. Let’s re-evaluate. The order of the specific rules (1-4) does not matter, only that the default “any” rule is last. Both A and D are functionally identical. However, the question asks for the correct configuration. Both are correct. Let’s assume the most logical grouping. Option A groups actions. This is not a firewall rule list; it’s a profile. The order of categories does not matter as long as the default is at the enD) In the GUI, there is no “default” rule; you set an action for “any” and then add exceptions. The “any” action is the base, and you add categories to override it. The most accurate representation would be Base Action: Allow, with overrides for the four categories. Option A represents this as a logical list.
Q123:
An administrator is troubleshooting a policy issue where traffic that should be matching a new Security policy rule is being denied by the default “intrazone-default” rule. The traffic is from the ‘Trust’ zone to the ‘Trust’ zone. What is the most likely reason for this?
A) The new Security policy rule has “intrazone-default” listed in the “Application” taB
B) The new Security policy rule is positioned after the “intrazone-default” rule in the rulebase.
C) The “intrazone-default” rule has an action of “Deny” and cannot be changeD
D) The “intrazone-default” rule has a default action of “Deny”, and the new rule is not being matcheD
Answer: D
Explanation
The correct answer is D The “intrazone-default” rule, which applies to traffic within the same zone, has a default action of allow. The “interzone-default” rule, which applies to traffic between different zones, has a default action of deny. The question states traffic is being denied by “intrazone-default,” which implies its action has been changed from “allow” to “deny”. However, a more common scenario, and the likely point of the question, is that the administrator is misreading the log and the traffic is actually being denied by the interzone-default rule.
Let’s re-read the question: “denied by the default ‘intrazone-default’ rule.” We must take this as fact. By default, intrazone-default is set to allow. If traffic is being denied by it, an administrator must have manually changed its action to deny. If this is the case, the reason the new rule isn’t working is that the traffic is not matching its criteria (e.g., wrong source/destination, wrong application, wrong service) and is “falling through” to the next rule in the list, which is the now-modified intrazone-default (deny).
Option a is incorrect. “intrazone-default” is a rule name, not an application. Option b is incorrect. The default rules are system-generated and are always at the bottom of the rulebase. You cannot position a custom rule after a default rule. Option c is incorrect. The intrazone-default rule’s action is allow by default, and it can be changed (overridden). The interzone-default rule is deny by default.
Therefore, the most logical conclusion is that the new rule is not being matched for some reason (e.g., App-ID mismatch, service mismatch), and the traffic is falling through to the intrazone-default rule, which an administrator must have changed to “Deny” (a non-standard configuration, but possible).
Q124:
What is the primary function of the Content-ID (C-ID) engine in the Single-Pass Parallel Processing (SP3) architecture?
A) To scan for known and unknown threats, including viruses, spyware, and vulnerabilities, after the application is identifieD)
B) To identify the application based on its properties, regardless of port, protocol, or encryption.
C) To map IP addresses to usernames and user groups for use in security policies.
D) To perform route lookups, NAT policy lookups, and security policy lookups in parallel.
Answer: A
Explanation
The correct answer is A The Content-ID (C-ID) engine is the component of the SP3 architecture responsible for threat prevention. After App-ID (option b) has identified the application, the stream is passed to Content-ID) Content-ID then scans this application-identified traffic for known threats (viruses, spyware, vulnerability exploits), as well as unknown threats (using WildFire). It also handles URL filtering and file blocking. This is all done in a single pass.
Option b describes the function of App-ID, not Content-ID) App-ID runs first to identify what the traffic is. Option c describes the function of User-ID, which provides user context to the security policy. Option d describes the general function of the data plane and the parallel processing nature of the SP3 architecture, but it is not specific to Content-ID) Content-ID is one of the processes that runs in parallel, but its function is threat scanning.
Q125:
An administrator needs to configure a GlobalProtect Portal and Gateway on a single firewall. The requirement is for external users to connect to an external interface for both the Portal and Gateway, while internal users should connect to an internal interface for both. How must the administrator configure the Portal’s “Agent” settings to achieve this?
A) Create one Agent config, list the external gateway’s IP first and the internal gateway’s IP second Use “priority” to control access.
B) Create two separate Agent configs, one for “External” users and one for “Internal” users, each pointing to their respective gateways.
C) Create one Agent config, list both the external and internal gateway FQDNs, and use a “source-region” setting to differentiate.
D) This is not possible; a Portal can only deliver a list of gateways, it cannot deliver a list of other Portals.
Answer: B
Explanation
The correct method is to create two separate Agent configs within the Portal configuration. The Portal is responsible for authenticating the user and providing the agent with its configuration, including the list of available gateways. You can create multiple agent configurations and use “User/Group” or “OS” to control which config a user receives. However, to differentiate between internal and external users connecting to different gateways, you would typically use client certificate checks or different authentication profiles.
Let’s re-read the requirements. The Portal itself must be accessible on an internal and external interface. This is done in the Portal’s “General” settings, not the “Agent” config. The Portal then gives the agent a list of gateways. The question asks how to configure the Agent settings to point users to the right gateways.
The best way to handle an “internal” and “external” gateway list is to create two separate Agent configs.
Config 1 (External): This config would be for the “External” user group. In its “External Gateways” list, you would add the external gateway.
Config 2 (Internal): This config would be for the “Internal” user group. In its “External Gateways” list (which is a bit of a misnomer, it’s just the list of gateways), you would add the internal gateway. You would also configure “Internal Host Detection” to identify when the user is on the internal network.
When a user connects to the Portal (either from inside or outside), they authenticate. Based on their user group, the Portal delivers the correct agent config (either “External” or “Internal”), which contains the correct gateway for them to use.
Option a is incorrect. Gateway priority is used for failover, not for selecting an internal vs. external gateway based on user location. Option c is incorrect. Source region is not a primary factor in selecting an agent config. Option d is incorrect. This is a possible and common configuration.
Q126:
A network engineer is designing a NAT policy. An internal server with the IP 10.1.1.100 needs to be accessible from the internet via the public IP 203.0.113.5 on TCP port 443. This public IP is assigned to the firewall’s external interface. What NAT policy type is required?
A) Source NAT (Dynamic IP and Port)
B) Source NAT (Static IP)
C) Destination NAT (Static NAT)
D) U-Turn NAT
Answer: C
Explanation
This is a classic Destination NAT (Static NAT) scenario. The goal is to allow external users (source) to connect to an internal server. When the external user sends a packet to the public IP 203.0.113.5 (destination), the firewall must translate this destination IP to the internal private IP 10.1.1.100. This is a one-to-one, static mapping used to publish an internal service to the internet. The NAT policy would be configured with:
Original Packet: Source Zone (Untrust), Destination Zone (Untrust), Destination IP (203.0.113.5), Service (TCP-443)
Translated Packet (Destination): Translated IP (10.1.1.100), Translated Port (e.g., TCP-443)
Option a and b are for Source NAT. Source NAT is used to translate the source IP of internal users as they go out to the internet. This is the opposite of what is requireD) Option d, U-Turn NAT, is a specific NAT scenario that allows an internal user to access an internal server using its external public IP. While it involves Destination NAT, the primary requirement here is just the inbound Destination NAT.
Q127:
An administrator has configured a Decryption policy with the “Forward Proxy” type. What is the primary purpose of this configuration?
A) To decrypt inbound traffic from the internet to an internal web server.
B) To decrypt outbound traffic from internal clients connecting to external websites (e.g., https://www.google.com/url?sa=E&source=gmail&q=google.com).
C) To decrypt SSH traffic for the purposes of threat inspection.
D) To decrypt traffic passing between two internal zones (East-West traffic).
Answer: B
Explanation
The Forward Proxy decryption type is specifically designed to decrypt outbound SSL/TLS traffic initiated by internal clients. In this scenario, the firewall acts as a “man-in-the-middle” (MITM) for the SSL session. It intercepts the client’s request to an external website (like google.com), impersonates the external server by “re-signing” its certificate with its own forward trust certificate, and establishes two separate SSL tunnels: one between the client and the firewall, and one between the firewall and the external server. This allows the firewall to see the decrypted application data, inspect it for threats with Content-ID, and then re-encrypt it before sending it to the destination.
Option a describes Inbound Decryption, which is used to decrypt traffic to your own internal servers (e.g., a public-facing web server) using the server’s real private key. Option c describes SSH Proxy, which is a separate decryption policy type specifically for SSH. Option d could be handled by Forward Proxy, but the primary and most common use case is for outbound (client-to-internet) traffiC
Q128:
A new Panorama-managed firewall is unable to receive configuration updates from PanoramA) The administrator has verified IP connectivity between the firewall’s management interface and PanoramA) The administrator also sees “connected-encrypted” for the firewall in PanoramA) What is the most likely cause of this issue?
A) The firewall’s serial number has not been added to the Panorama managed devices list.
B) The firewall has uncommitted local changes that are conflicting with the Panorama push.
C) The Panorama “Commit All” operation was used instead of “Push to Devices.”
D) The firewall and Panorama are running different, incompatible PAN-OS versions.
Answer: B
Explanation
The most likely cause is that the firewall has uncommitted local changes. When a firewall is managed by Panorama, you should avoid making changes directly on the firewall’s local web interface. If a local administrator does make a change (e.g., creates a local policy or object) and does not commit it, this creates a configuration “lock.” When Panorama attempts to “Push” its configuration, the firewall will reject the push because it has a pending, uncommitted configuration that would be overwritten. The “connected-encrypted” status confirms that the management tunnel is up, and IP connectivity is gooD) The failure is happening at the configuration-merge step. The administrator must either commit or revert the local changes on the firewall before a Panorama push can succeeD)
Option a is incorrect. If the serial number was not added, the firewall would not appear as “connected-encrypted” in PanoramA) Option c is incorrect. “Commit All” is a Panorama-specific commit; “Push to Devices” is the operation that sends the config to the firewalls. Using “Commit All” would not, by itself, break the push. Option d is possible, but less likely if the firewall is already “connected-encrypteD)” Major version mismatches often prevent the connection from even establishing. A simple uncommitted change is a very common operational error.
Q129:
A firewall is configured in Virtual Wire (v-wire) mode and is inserted between a router and a LAN switch. Which two objects must be created and applied to a Security policy to allow all traffic to pass? (Choose two.)
A) A Virtual Router
B) A Security Zone
C) A Virtual Wire object
D) A NAT Policy
Answer: B, C
Explanation
To configure a firewall in Virtual Wire (v-wire) mode, you must first create a Virtual Wire object. This object pairs two physical interfaces (e.g., ethernet1/1 and ethernet1/2) and binds them together as a single “bump-in-the-wire.” This object defines the v-wire itself.
Next, to write a Security policy, you must assign each of the v-wire interfaces to a Security Zone. For example, ethernet1/1 could be in the “Inside” zone, and ethernet1/2 could be in the “Outside” zone. You would then create a Security policy rule allowing traffic from “Inside” to “Outside” and from “Outside” to “Inside.”
Option a is incorrect. Virtual Wires do not participate in routing; they are transparent Layer 2 devices. No Virtual Router is needeD) Option d is incorrect. A Virtual Wire passes traffic transparently and does not perform any IP address translation. No NAT Policy is needeD)
Q130:
An administrator is configuring a User-ID agent to map IP addresses to usernames. The agent is monitoring the security event logs of several domain controllers. What specific Windows Event ID must the agent be able to read to successfully map a user logon?
A) 4624 (An account was successfully logged on)
B) 4720 (A user account was created)
C) 4768 (A Kerberos authentication ticket (TGT) was requested)
D) 4625 (An account failed to log on)
Answer: A
Explanation
The primary Windows Event ID used by the User-ID agent for logon mapping is 4624 (An account was successfully logged on). When a user successfully logs into a domain resource (like their workstation), a “Success” audit event with ID 4624 is generated in the security log of the domain controller that authenticated them. The User-ID agent is configured with a service account that has permission to read these security logs. It parses these 4624 events, extracts the username and the source IP address of the workstation, and creates a mapping (e.t., 10.1.1.50 = ‘jsmith’) in its database. This mapping is then sent to the firewall.
Option b (4720) is for account creation, not logon. Option c (4768) is for a Kerberos TGT request, which can also be used but is typically for clientless User-ID or as a secondary source. The primary and most reliable event for workstation logons is 4624. Option d (4625) is for a failed logon and would not be used to create a successful IP-to-user mapping.
Q131:
An engineer configures a new Security policy rule to block the ‘facebook-base’ application. A user in the ‘Sales’ group reports they can still access facebook.com. The administrator checks the traffic logs and sees that the user’s traffic is matching a rule above the new block rule. This higher-priority rule allows the ‘web-browsing’ and ‘ssl’ applications. Why is the ‘facebook-base’ application not being blocked?
A) The ‘facebook-base’ application depends on ‘web-browsing’, which is alloweD)
B) The traffic is being encrypted, and the firewall is not configured for SSL decryption.
C) The ‘web-browsing’ application is a container app that includes ‘facebook-base’.
D) The user is in the ‘Sales’ group, which has an implicit override.
Answer: B
Explanation
The most likely reason is that the traffic is encrypted (HTTPS). The facebook-base application (App-ID) can only be identified by the firewall if it can see the unencrypted application headers and datA) If the user is going to https://www.facebook.com, the entire session, including the HTTP headers that App-ID needs, is encrypted within an SSL tunnel.
The firewall’s data plane sees the initial SSL handshake and identifies the application as ‘ssl’. It may also identify the server name (SNI) and see facebook.com, but the specific sub-application facebook-base cannot be confirmeD) The traffic matches the first rule in the policy list that allows ‘ssl’ and ‘web-browsing’ (port 443) and is permitteD) The firewall never identifies the traffic as facebook-base, so the new block rule is never matcheD) To fix this, the administrator would need to enable SSL Forward Proxy decryption for this traffiC)
Option a is incorrect. While facebook-base does depend on ssl and web-browsing, allowing the dependencies does not mean the application itself is allowed if a specific “deny” rule exists and is matcheD) The problem is that the “deny” rule is not being matcheD) Option c is incorrect. web-browsing is a service, not a container app. Option d is incorrect. There is no such thing as an “implicit override” for a user group.
Q132:
What is the function of a “Template” in Panorama?
A) To centrally manage Security, NAT, and PBF policies for a group of firewalls.
B) To push software and content updates to a group of firewalls.
C) To centrally manage device and network configurations (e.g., interfaces, zones, log forwarding) for a group of firewalls.
D) To group firewalls for the purpose of log collection.
Answer: C
Explanation
In Panorama, configuration is split into two main components:
Device Groups: These are used to manage shared policies, such as Security, NAT, PBF, and Decryption policies. (Option A)
Templates (and Template Stacks): These are used to manage the device and network configurations (the “Device” and “Network” tabs of the firewall). This includes settings like interfaces, virtual routers, zones, log forwarding profiles, GlobalProtect settings, and administrative accounts.
Therefore, a Template’s function is to centrally manage all the “base” configurations of a firewall that are not part of the policy rulebase.
Option a describes a Device Group. Option b is incorrect. While you can push updates from Panorama, the “Template” object is not what manages this function. Option d describes a Collector Group.
Q133:
An administrator needs to configure a Site-to-Site IPSec VPN tunnel. The remote peer device is a third-party router that does not support routing protocols. The administrator needs to define the specific internal subnets that should be allowed to communicate over the tunnel. What component must be configured on the Palo Alto Networks firewall to identify this traffic?
A) A Tunnel Interface
B) A GRE tunnel
C) Proxy IDs
D) A redistribution profile
Answer: C
Explanation
This scenario describes a Policy-Based VPN. The remote third-party device does not support routing, meaning it cannot dynamically learn which routes are available through the tunnel. Instead, it is configured with a “crypto map” or “security association” that statically defines “what’s interesting” (e.g., local subnet 192.168.1.0/24 to remote subnet 10.1.1.0/24).
On the Palo Alto Networks firewall, this is configured using Proxy IDs. In the IPSec Tunnel configuration, you would manually define Proxy IDs that match the remote peer’s configuration. For example:
Local: 192.168.1.0/24
Remote: 10.1.1.0/24
The firewall will then build an IPSec Security Association (SA) specifically for this subnet-to-subnet pair. This is different from a “Route-Based” VPN, which uses a Tunnel Interface and routing protocols (or static routes) to send traffic to the tunnel.
Option a is used in Route-Based VPNs, which the peer does not support. Option b is a different tunneling protocol. Option d is for sharing routes between routing protocols, which is not relevant here.
Q134:
Which PAN-OS plane is responsible for processing the security policy, performing NAT, and executing threat inspection with Content-ID?
A) Management Plane
B) Data Plane
C) Control Plane
D) Service Plane
Answer: B
Explanation
The Data Plane is the “workhorse” of the firewall and is responsible for processing all transit traffiC) It executes the Single-Pass Parallel Processing (SP3) architecture. This includes:
Ingress/Egress processing
Route lookups
NAT policy execution
Security policy lookup and enforcement
App-ID
Content-ID (threat inspection)
User-ID lookup
The Data Plane is optimized for high-speed, low-latency packet processing.
Option a, the Management Plane, provides the user/admin interface (WebUI, CLI) and coordinates Panorama, logging, and reporting. Option c, the Control Plane, is responsible for “thinking” tasks, such as running routing protocols (BGP, OSPF), managing HA state, and maintaining the User-ID and App-ID tables. It tells the Data Plane how to process traffiC) Option d, Service Plane, is not a formal plane in the PAN-OS architecture.
Q135:
An administrator wants to create a Security policy rule that only allows the ‘Sales’ department to use ‘salesforce-base’ and ‘linkedin-base’, while blocking these applications for all other users. What is the most critical prerequisite for this policy to function?
A) A URL Filtering profile must be attached to the rule.
B) The ‘Sales’ Active Directory group must be imported into PanoramA)
C) SSL decryption (Forward Proxy) must be configured and enabled for this traffiC
D) An Authentication policy must be created to identify the ‘Sales’ users.
Answer: C
Explanation
The applications ‘salesforce-base’ and ‘linkedin-base’ are both exclusively web-based and run over HTTPS (SSL/TLS). The firewall’s App-ID engine can only definitively identify these specific applications if it can see the unencrypted application datA) Without SSL decryption, the firewall will only identify the traffic as ‘ssl’ or ‘web-browsing’. A rule to “allow ‘salesforce-base'” will never be matched because the application will never be identified as such. Therefore, the most critical prerequisite is to enable SSL Forward Proxy decryption for this outbound traffic, allowing App-ID to see the decrypted data and correctly classify the application.
Option a is incorrect. URL Filtering is a separate feature. Option b is a part of the User-ID setup, but without decryption, the App-ID won’t work, making the User-ID irrelevant. Option d is also part of User-ID, but it’s not the most critical prerequisite. Even if the firewall identifies the user as being in ‘Sales’ (via User-ID), it cannot match the application part of the rule without decryption. The policy will fail on the App-ID)
Q136:
An engineer needs to configure a new virtual router and wants to ensure that if the primary path to the internet goes down, traffic will automatically switch to a backup ISP. The primary path is a static route. What feature should be configured?
A) A BGP routing protocol with AS-path prepending.
B) A floating static route with a higher metric than the primary static route.
C) A Policy Based Forwarding (PBF) rule to send traffic to the backup ISP.
D) An OSPF routing protocol with a higher cost on the backup link.
Answer: B
Explanation
The simplest and most direct way to achieve active/backup static routing is by using a floating static route. The engineer would configure two static routes for the destination (e.g., 0.0.0.0/0):
Primary Route: 0.0.0.0/0 via ISP-1-Gateway, Metric 10
Backup Route: 0.0.0.0/0 via ISP-2-Gateway, Metric 20
The virtual router will install the route with the lowest metric (Metric 10) into its forwarding table, making it the active, primary path. It keeps the Metric 20 route in its table as a backup. To make this failover dynamic, the engineer would also configure Path Monitoring on the primary route (Metric 10). This will ping a reliable target (like 8.8.8.8) out of the primary ISP. If those pings fail, the firewall considers the primary route “down,” removes it from the forwarding table, and “floats” to the next-best route, which is the backup route with Metric 20.
Option a and d are incorrect because the scenario specifies a static route, not dynamic routing. Option c is incorrect. While PBF can be used for this, it’s more complex. The standard, routing-table-based method is a floating static route.
Q137:
Which three components are required to configure a GlobalProtect VPN that authenticates users and provides access to internal resources? (Choose three.)
A) GlobalProtect Portal
B) GlobalProtect Gateway
C) GlobalProtect Clientless VPN
D) Authentication Profile
E) Log Forwarding Profile
Answer: A, B, D
Explanation
To set up a basic, functional GlobalProtect remote access VPN, you need three core components:
GlobalProtect Portal: This is the “front door.” The user’s endpoint (the GlobalProtect agent) connects to the Portal first. The Portal authenticates the user and, upon success, provides the agent with its configuration, such as the list of available gateways.
GlobalProtect Gateway: This is the “on-ramp.” After configuring itself, the agent disconnects from the Portal and connects to a Gateway. The Gateway terminates the IPSec/SSL VPN tunnel, authenticates the user again (or re-uses the Portal cookie), and enforces security policy for access to the internal network.
Authentication Profile: Both the Portal and the Gateway need to know how to authenticate users. An Authentication Profile is the object that defines the authentication method (e.g., LDAP, RADIUS, SAML, Kerberos) and the server profile (e.g., the IP of the domain controller) to use.
Option c, Clientless VPN, is a feature of GlobalProtect but is not a required component for the standard agent-based VPN. Option e, Log Forwarding Profile, is a best practice for monitoring but is not a functional requirement to make the VPN connect.
Q138:
Which component in Panorama is used to manage shared network settings, such as virtual routers, zones, and interface configurations, across multiple firewalls?
A) Device Group
B) Template Stack
C) Collector Group
D) Policy Rulebase
Answer: B
Explanation
In Panorama, network and device settings (everything on the “Network” and “Device” tabs) are managed using Templates. A Template Stack is an object that allows you to combine multiple templates and apply them to a set of firewalls. This is the mechanism for managing shared network settings. For example, you could have one template for “Global” settings (like DNS, NTP) and another for “USA-Site” settings (like interface IPs and zones) and combine them in a Template Stack for all your USA firewalls.
Option a, Device Group, is used to manage shared policies (Security, NAT, Decryption, etc). Option c, Collector Group, is used to group Log Collectors for redundancy and load balancing of log traffic Option d, Policy Rulebase, is a component within a Device Group.
Q139:
A user is attempting to access http://www.badsite.com. The firewall has a URL Filtering profile that blocks the “malware” category. The traffic log shows the session was “allowed” by a Security policy, but the URL log shows the action was “block-url.” What is the expected user experience?
A) The user can access the site normally because the Security policy action was “allow.”
B) The user’s browser will receive a 404 Not Found error.
C) The user’s browser will time out as the firewall silently drops the packets.
D) The user’s browser will be served a response page from the firewall stating the website is blocked.
Answer: D
Explanation
This question tests the order of operations and how security profiles are applieD)
The user’s traffic first hits the Security policy rulebase. It matches a rule (e.g., “Allow-Outbound”) that has an action of allow.
Because the action is “allow,” the firewall then applies the Security Profiles (like URL Filtering) attached to that rule.
The URL Filtering profile is checked The site www.badsite.com is in the “malware” category, which the profile is set to block.
The firewall stops the session at this point and takes the action defined in the URL profile. The default block action is to send an HTTP 503 response page back to the user’s browser.
The user will see a browser page (the “block page”) from the firewall, explaining that the site is blocked by corporate policy. The traffic log shows “allow” because the session was allowed by the policy, but the content was blocked by the profile. The URL log correctly reflects the final content-level action, “block-url.”
Option a is incorrect. The security profile block overrides the policy’s allow. Option b is incorrect. The firewall sends a 503 (or similar) block page, not a 404. Option c is incorrect. The “block” action sends a response page. A “drop” action would silently drop the packets and cause a timeout.
Q140:
An administrator is troubleshooting an active/passive HA failover. The passive firewall is reporting that the active peer is “down,” but the active firewall is fully operational and processing traffic. The HA1 links are connected “back-to-back” with a direct cable. The administrator checks the HA1 link status and sees it is “up.” What is the most likely cause of this “split-brain” condition?
A) Path monitoring on the active firewall has failed, causing it to become passive.
B) The HA1 interface on the passive firewall is not configured with an IP address.
C) HA-LITE has been enabled on the passive firewall by mistake.
D) The passive firewall’s control plane is non-responsive, so it cannot process the HA heartbeats.
Answer: D
Explanation
This is a classic “passive-link” or “non-functional” state. The HA1 link is physically “up” (Layer 1 is good), and it has an IP (Layer 3 is good). However, the application-level heartbeats are failing. The passive firewall sends a heartbeat but gets no reply. It assumes the active firewall is down and attempts to go active, causing a split-brain. The reason the active firewall isn’t replying is that its control plane (the ha_agent process) is non-responsive (e.g., crashed, or the CPU is at 100%). Even though its data plane is still up and processing traffic (making it look “operational”), its control plane is dead and cannot manage HA, routing, or other “thinking” tasks. This is a common failure scenario.
Option a is incorrect. If path monitoring failed on the active firewall, it would correctly fail over and become passive. The problem here is that the passive firewall thinks the active one is down. Option b is incorrect. The HA1 interface must have an IP address to function. If it didn’t, the link state would likely be down or non-functional from the start. Option c is incorrect. HA-LITE is a legacy term and not a configurable mode in this context.
