NGFW2

You are setting up a Palo Alto Networks firewall to switch traffic at Layer 2 between multiple VLANs. You want to ensure the firewall can inspect traffic between VLANs while still allowing VLAN switching. Which configuration step is not necessary?. • Enable ARP Inspection to prevent ARP spoofing attacks in Layer 2 mode. • Create a VLAN interface (L3) and associate it with a Virtual Router for inter-VLAN routing. • Assign Layer 2 interfaces to different Virtual Routers for inter-VLAN communication. • Assign all Layer 2 interfaces to VLAN objects.

A network security engineer is configuring an SSL/TS service profile on a Palo Alto Networks Next-Generation Firewall running PAN-OS. Which of the following options must be configured when creating an SSL/TLS service profile?. • The DNS settings for resolving certificate-related queries. • The Certificate Authority (CA) certificate to validate client certificates. • The OCSP responder settings for certificate validation. • The private key associated with the selected certificate.

An organization wants to integrate its Palo Alto Networks Next-Generation Firewall (NGFW) with an automation tool like Ansible to enforce security policies dynamically. The goal is to create, update, and delete security rules automatically based on real-time threat intelligence. Which of the following is the best approach for securely integrating PAN-OS with an automation tool?. • Disable API authentication for automation tools to streamline integration. • Manually configure each firewall policy through the GUl instead of using automation tools. • Allow automation tools to authenticate with the firewall using a shared administrator account. • Use the PAN-OS Ansible modules that leverage the firewalls API for managing configurations.

A network administrator is configuring User-ID on a Palo Alto Networks firewall to map user identities to IP addresses in an on-premises Active Directory environment. Which of the following configurations is required to ensure successful User-ID integration?. • Creating a User-ID policy under the security rulebase. • Enabling the firewall to act as an DAPproxy for user authentication. • Configuring a service account with read-only access to the Active Directory Security logs. • Enabling User-ID agent access to the firewall's management interface.

An enterprise is adopting Kubernetes for its microservices architecture and wants to deploy Palo Alto Networks CN-Series firewalls for container security. The network engineer is tasked with selecting the appropriate deployment mode for CN-Series to protect east-west traffic inside the Kubernetes cluster. Which of the following deployment options is best suited for securing east-west traffic within a Kubernetes environment using CN-Series?. • Deploy the CN-Series firewall as a centralized VM-Series firewall and route all traffic through it. • Use Kubernetes Network Policies in place of CN-Series firewalls to secure east-west traffic. • Deploy the CN-Series firewall as an Ingress Controller to inspect external traffic before it reaches Kubernetes services. • Deploy the CN-Series firewall as a DaemonSet on every Kubernetes node.

An administrator wants to configure multi-factor authentication (MFA) for VPN users connecting through the GlobalProtect portal. The organization uses LDAP for primary authentication and an external RADIUS server for OTP-. based secondary authentication. What is the correct way to implement this in the firewall?. • Define two separate authentication profiles, apply the LDAP profile to the portal and the RADIUS profile to the gateway. • Use the firewalls local database for primary authentication and set RADIUS as fallback in case of LDAP failure. • Configure an authentication profile with LDAP and use a RADIUS authentication sequence. • Create an authentication sequence that includes both LADP and RADIUS, then apply it to the GlobalProtect portal.

An enterprise is planning to deploy multiple virtual systems (VSYS) on a Palo Alto Networks firewall to segment different departments. The network administrator needs to allocate resources efficiently to avoid conflicts. Which two of the following actions can be performed to optimize VSYS resource allocation? (Choose two). • Configure shared global security policies that apply across all virtual systems. • Set up administrative profiles to restrict access to specific VSYS instances. • Use a single virtual router across all SYS to simplify route management. • Assign dedicated physical interfaces to each VSYS to avoid contention. • Each VSYS must use a separate, dedicated virtual router.

Your company is deploying a Palo Alto Networks Next-Generation Firewall (NGFW) to secure workloads in a Kubernetes cluster running in a cloud environment. You need to ensure proper traffic inspection while maintaining scalability and automation. The team is considering different deployment strategies using third-party orchestration tools. Which of the following approaches is the most effective way to deploy a Palo Alto Networks NGFW in a Kubernetes environment?. • Install the firewall on a separate virtual maine and route Kubernetes pod traffic through it via a static route. • Deploy the firewall as a sidecar container alongside every microservice for real-time packet filtering. • Use the Palo Alto Networks CN-Series container firewall with Kubernetes Network Policies to inspect traffic within the cluster. • Deploy the firewall as a DaemonSet to enforce security policies on every node in the cluster.

A network administrator is setting up an IPSec VPN between two Palo Alto Networks firewalls to securely connect two remote sites. During the configuration process, the administrator must ensure that both Phase 1 and Phase 2 settings are properly configured. Which of the following is a required step to establish a functional IPSec VPN tunnel in PAN-OS?. • Configure the tunnel interface with an IP address assigned from the same subnet as the remote network. • Disable Dead Peer Detection (DPD) to prevent unnecessary IPSec rekeying. • Define an IPSec Tunnel and associate it with an IKE Gateway and a Tunnel Interface. • Enable Aggressive Mode in IKE Phase 1 to establish a more secure VPN connection.

two of the following actions are required to properly set up SSL Forward Proxy decryption? (Choose two). • Configure the Root CA certificate as a Forward Trust certificate. • Assign the certificate to a security zone. • Generate and install a self-signed Root CA certificate on the firewall. • Enable OCSP (Online Certificate Status Protocol) on the firewall. • Import a trusted third-party CA certificate for SSL Forward Proxy.

You are configuring an IPSec tunnel between a Palo Alto Networks firewall and a third-party VPN device. After configuring the tunnel interface, setting up IKE and IPSec security profiles, and defining the peer details, the tunnel does not come up. What is the MOST likely reason for this failure?. • The GlobalProtect gateway is enabled, interfering with IPSec traffic. • The tunnel interface does not have a management profile assigned. • The IPSec Phase 1 proposal is set to AES-256, while the peer uses AES-GCM. • The IPSec SA lifetime values are mismatched between the two devices.

A cloud security engineer is tasked with deploying Palo Alto Networks CN-Series firewalls in an enterprise Kubernetes environment running on Amazon EKS. The engineer must ensure that the firewall can inspect and enforce security policies on container traffic while integrating with Kubernetes-native services. Which of the following requirements must be met when deploying CN-Series firewalls in an AWS EKS environment?. • CN-Series can only function in Kubernetes environments that use Calico as the CNI. • CN-Series firewalls must be configured as StatefulSets rather than DaemonSets to persist firewall state across pod restarts. • CN-Series must be deployed in a separate Kubernetes cluster from the workloads it protects. • The CN-Series firewall must be deployed with a Kubernetes CNI plugin that supports traffic redirection to the firewall pods.

A firewall administrator wants to ensure that all security logs from a Palo Alto Networks firewall are forwarded to an external Syslog server for monitoring. Which of the following steps must be performed to configure log forwarding properly in PAN-OS?. • Configure a Syslog profile and apply it globally under Device? Log Settings to forward all logs automatically. • Configure a log forwarding profile, add the Syslog server, and apply the profile to the relevant security policies. • Enable logging in the Monitor tab and specify the Syslog servers IP address. • Configure a log forwarding profile, enable Syslog under Device ? Syslog Settings, and restart the firewall for changes to take effect.

A company is migrating from an on-premises Active Directory-based network to a hybrid-cloud environment with a mix of Azure AD, Google Workspace, and on-premises domain controllers. The network administrator needs to configure Cloud Identity Engine (CIE) with User-ID to ensure accurate user context across cloud and on-premises resources. Which of the following configurations is the most effective way to ensure comprehensive user-to-IP mapping in this hybrid environment?. • Configure only Azure AD authentication for all users and rely on SAML single sign-on (SSO) for user tracking. • Enable Cloud Identity Engine (CIE) integration with both on-prem AD and cloud identity providers, and configure it as the primary User-ID source. • Deploy a User-ID Agent on-premises and configure it to retrieve logs from Azure AD and Google Workspace. • Set up LDAP authentication to query user groups from both cloud and on-premises sources.

Which of the following configuration settings is essential for establishing a functional Active/Passive High Availability (HA) pair in PAN-OS, ensuring proper failover and synchronization?. • Setting the same virtual MAC address for the floating IP interfaces. • Enabling DHCP on the HA control link interfaces. • Configuring different management IP addresses for each firewall in the HA pair. • Configuring different heartbeat backup IP addresses on each firewall.

An engineer is configuring authentication for administrators accessing a Palo Alto Networks firewall running PAN-OS. The security policy requires the use of certificates for authentication. Which of the following steps is required to enable certificate-based authentication for administrators?. • Enable two-factor authentication using OTP before allowing certificate-based authentication. • Import the Certificate Authority (CA) certificate and assign it as a trusted CA under Device > Certificates. • Configure the firewall to use a wildcard certificate for administrator authentication. • Create a Local Database Authentication Profile and associate it with a self-signed certificate.

An engineer is configuring GlobalProtect to enforce Multi-Factor Authentication (MFA) for remote users. The organization requires users to authenticate with a username and password first, followed by an MFA challenge using an external identity provider (IdP). The engineer must ensure. that the GlobalProtect portal and gateway enforce MFA properly. Which of the following is the correct configuration for enforcing MA in GlobalProtect?. • Configure a RADIUS authentication profile for the first authentication factor and an LDAP profile for the second factor. • Configure an authentication profile with a SAML IdP and apply it to the GlobalProtect portal and gateway. • Enable MFA by adding an authentication enforcement object to the security policy without modifying the GlobalProtect portal settings. • Create a Local Authentication Profile on PAN-OS and use it for both factors.

An engineer is configuring inter-VSYS routing on a Palo Alto Networks Next-Generation Firewall running PAN-OS. The goal is to allow communication between Virtual System (VSYS) instances without using an external router. Which of the following statements best describes the correct approach to configuring inter-VSYS communication?. • Create a Virtual Router that is shared across multiple VSYS instances and configure route leaking between them. • Assign the same security zone to interfaces across SYS instances to allow communication between them without additional routing. • Configure a Shared Gateway (SG) to allow traffic forwarding between VSYS instances and enable security policies for inter-VSYS communication. • Use a Layer 3 interface in one VSYS and configure static routes pointing to the other SYS using Next-Hop IP addresses.

A network engineer is configuring a Palo Alto Networks Next-Generation Firewall to route traffic between multiple VLANs using virtual routers. The engineer wants to ensure that traffic between VLANs can be efficiently routed without requiring an external Layer 3 device. Which of the following steps is necessary to configure inter-VLAN routing using virtual routers in PAN-OS?. • Configure VLAN interfaces and assign them to a virtual router. • Assign the "default gateway" to the physical interface rather than VLAN interfaces. • Enable "Interzone Routing" under the Security policy to allow VLAN traffic. • Configure a "static route" for each VLAN in the virtual routers routing table.

A Palo Alto Networks Next-Generation Firewall is configured to perform SSL Forward Proxy decryption. Which of the following certificates must be installed on client devices to ensure successful decryption without browser warnings?. • An SSL certificate signed by a public CA installed on the firewall. • A Root Certificate Authority (CA) certificate signed by an external CA. • A Wildcard Certificate for internal domains only. • A self-signed Forward Trust Certificate generated by the firewall.

A Palo Alto Networks administrator is setting up a GlobalProtect Gateway to provide secure remote access to users. The administrator wants to enforce strong authentication while ensuring seamless user experience. Which authentication method should be used to achieve both strong security and user convenience?. • Certificate-based Authentication. • Two-Factor Authentication (2FA) with MFA. • Static IP Allowlisting. • Pre-shared Key (PSK) Authentication.

An administrator is configuring a multi-VSYS firewall and needs to assign interfaces to different VSYS instances. Which of the following must be considered when assigning interfaces to a VSYS?. • The default VSYS (VSYS1) must be deleted before adding additional VSYS instances. • VSYS must be enabled in the firewalls feature license before creating virtual systems. • A VSYS cannot function without a dedicated physical intertace. • An interface can belong to multiple VSYS instances simultaneously.

An administrator is configuring a certificate profile in PAN-OS to enforce client certificate authentication for a GlobalProtect VPN deployment. The goal is to ensure that only trusted endpoints with valid certificates can connect to the firewall. Which of the following configurations must be included in the certificate profile to achieve this goal?. • Set the certificate profile to accept any certificate issued by any CA to maximize compatibility. • Add the firewalls self-signed root certificate to the certificate profile. • Enable "Allow Expired Certificates" to prevent connection failures when certificates are near expiration. • Include the trusted CA chain (root and intermediate certificates) in the certificate profile.

A security engineer is tasked with configuring a Log Collector Group to aggregate logs from multiple Palo Alto Networks firewalls. The engineer wants to ensure efficient log retrieval and redundancy. Which of the following statements about Log Collector Groups in PAN-OS is correct?. • A Log Collector must be added to Panorama before being added to a Log Collector Group. • Log Collector Groups are optional, and individual Log Collectors work independently without grouping. • A single firewall can be assigned to multiple Log Collector Groups for increased redundancy. • Log Collector Groups distribute logs among all assigned Log Collectors based on a defined log distribution policy.

A network engineer is configuring SSL decryption on a Palo Alto Networks Next-Generation Firewall running PAN-OS. The engineer needs to install a certificate that allows the firewall to decrypt outbound SSL traffic and inspect encrypted sessions. Which type of certificate should the engineer use, and how should it be configured?. • A self-signed root certificate should be created on the firewall and installed on all client devices as a trusted certificate authority (CA). • A self-signed certificate should be installed on the firewall but does not need to be distributed to client devices for SSL decryption to work. • A domain validation (DV) certificate issued by a public CA should be configured on the firewall for decryption of outbound traffic. • A wildcard certificate obtained from a public CA should be imported into the firewall and used for SSL decryption.

A firewall administrator is configuring the management interface of a Palo Alto Networks firewall running PAN-OS. The organization requires that management traffic, such as administrative access (HTTPS/SSH), telemetry data, and software updates, be strictly routed through the dedicated management interface. The administrator must also ensure that no data-plane traffic is processed through this interface for security reasons. Which of the following configurations correctly achieves this requirement?. • Enable Management Profile and apply it to the management interface to restrict traffic types. • Configure an Interface Management Profile and assign it to a data-plane interface to separate management and data traffic. • Set the Service Route Configuration to use the management interface for all services and ensure the interface has the appropriate security zone assigned. • Configure Service Route Configuration to use the data-plane interface for management services while keeping the management interface for CLI and Ul access.

An administrator wants to enable the PAN-OS integrated web proxy to allow internal users to access the internet using explicit proxy, settings in their browsers. Which of the following is a mandatory requirement to successfully configure this feature on the firewall?. • A Layer 3 interface must be enabled with the Proxy feature and have a certificate profile assigned for SSL decryption. • The firewall must have a valid GlobalProtect configuration. • An SSL Forward Proxy Decryption policy must be applied to outbound traffic only. • A loopback interface must be configured with an external public IP address.

A network administrator is deploying a Palo Alto Networks firewall in virtual wire mode between the Internet gateway and the internal network. They need to ensure that all traffic is inspected and that appropriate security policies are enforced. Which configuration step is required for virtual wire mode to function correctly?. • Enable Layer 3 routing on the virtual wire interface to allow packet forwarding. • Assign the virtual wire interface to a single security zone to allow traffic flow. • Define security policies based on source and destination zones assigned to the virtual wire interfaces. • Configure OSPF or BGP on the virtual wire interface to support dynamic routing.

A security engineer needs to configure mutual authentication using certificates for client authentication on a Palo Alto Networks firewall. The organization requires the firewall to authenticate users based on valid client certificates before allowing access to internal resources. What is a necessary step to configure mutual authentication using certificates?. • Enable certificate authentication under Device > High Availability> Authentication Settings. • Configure an LDAP Authentication Profile and enable Certificate Revocation Checking. • Generate a self-signed certificate on the firewall and distribute it to all client devices. • Configure a Certificate Profile and associate it with an Authentication Profile.

You have configured a certificate for GlobalProtect on a Palo Alto Networks firewall, but users are receiving warnings that the certificate is untrusted. What is the most likely reason for this issue?. • The certificate is using the SHA-256 algorithm instead of SHA-1. • The certificate does not have the Server Authentication extended key usage attribute. • The Root CA certificate has not been imported into the firewall. • The certificate has a key size of 4096 bits, which is not supported in PAN-OS.

A security administrator is configuring User-ID on a Palo Alto Networks Next-Generation Firewall to map usernames to IP addresses dynamically. Which of the following is a valid method for collecting User-to-IP mapping information?. • Using an external proxy server to translate user sessions into IP addresses without directory integration. • Relying only on DHCP address leases without integrating with directory services. • Manually entering user-to-IP mappings in the firewall every time a user logs in. • Configuring the firewall to query Active Directory domain controllers for security logs.

A security engineer needs to configure a Palo Alto Networks Next-Generation Firewall (NGFW) to forward all system logs to a centralized syslog server for long-term storage and analysis. Which of the following configurations is the most efficient and recommended method to achieve this?. • Configure a log collector group and assign the syslog server to it, then configure the device to forward system logs to the group. • Configure a log forwarding profile and attach it to each security policy rule. • Configure each security policy rule to forward system logs directly to the syslog server. • Configure a dedicated virtual router to handle log forwarding and assign the syslog server to it.

A network engineer is configuring a virtual router (VR) on a Palo Alto Networks firewall that supports multiple virtual systems (VSYS). The engineer wants to ensure that the firewall can properly route traffic between different networks assigned to the virtual router. Which of the following statements about virtual router configuration in PAN-OS is correct?. • A virtual router automatically learns routes for all interfaces assigned to it, without requiring static or dynamic routing protocols. • Each virtual system (VSYS) must have its own unique virtual router. • Each virtual router must be assigned a unique autonomous system (AS) number to enable routing. • A virtual router can be shared between multiple virtual systems (VSYS) on the same firewall.

An administrator needs to enforce security policies between two Virtual Systems (VSYS1 and VSYS2) on a Palo Alto Networks firewall running PAN-OS. The engineer has configured inter-SYS routing correctly but notices that traffic is still being denied. What additional step is required to allow traffic between VSYS1 and VSYS2?. • Configure a security policy in each SYS that explicitly allows traffic between their respective security zones. • Create a Security Profile and assign it to both VSYS1 and VSYS2, enabling inter-VSYS communication. • Enable "Allow Inter-VSYS Traffic" under the Global Security Settings to permit unrestricted communication between SYS instances. • Assign both VSYS1 and VSYS2 to a Shared Gateway (SG) to bypass security policy enforcement.

You are configuring Open Shortest Path First (OSPF) on a Palo Alto Networks firewall running PAN-OS. Which of the following statements about OSPF configuration in PAN-OS is correct?. • OSPF operates independently of Virtual Routers and is enabled directly on the firewall interfaces. • OSPF configuration in PAN-OS requires a dedicated interface type that is different from Ethernet interfaces. • PAN-OS does not support OSPF as a dynamic routing protocol. • OSPF requires a Virtual Router to be configured before enabling OSPF on the firewall.

An enterprise with a hybrid cloud setup wants to configure User-ID to apply security policies based on user identities. The security engineer is setting up User-D for on-premises Active Directory (AD) integration. Which of the following statements about User-ID configuration is TRUE?. • The firewall must be configured to query Windows AD domain controllers using an LDAP profile. • User-ID is only supported in environments using cloud identity providers (IdPs) such as Okta and Azure AD. • The User-ID agent must be installed on the firewall for on-premises AD integration. • User-ID can map IP addresses to usernames using Server Monitoring, Windows Log Forwarding, or Captive Portal.

A network engineer needs to configure log forwarding on a Palo Alto Networks Next-Generation Firewall (NGFW) running PAN-OS. The requirement is to send traffic logs to an external Syslog server for long-term storage while ensuring that security event logs are also forwarded to a SIEM for threat analysis. What is the most appropriate configuration step to meet this requirement?. • Use the CLI command set log-forwarding enable syslog to forward logs directly to external servers. • Configure Syslog settings under Device > Log Settings and enable logging in the security policy without attaching a Log Forwarding Profile. • Create a security policy that enables logging at session end and configure the SIEMIS IP as the Syslog server. • Create a Log Forwarding Profile that includes both Traffic and Threat logs, then apply it to the appropriate security policies.

You are configuring security zones on a Palo Alto Networks Next-Generation Firewall. Which of the following statements is true regarding security zones in PAN-OS?. • A security policy rule can allow traffic to flow between two interfaces in the same zone without an explicit rule. • Security zones must be assigned to at least one physical or virtual interface to be functional. • A virtual router is required for each security zone.to allow inter-zone communication. • An interface can belong to multiple security zones simultaneously.

You are configuring an Aggregate Ethernet (AE) interface on a Palo Alto Networks Next-Generation Firewall. Which of the following statements is TRUE about Aggregate Ethernet interfaces in PAN-OS?. • AE interfaces can only be configured in Layer 2 mode. • An AE interface requires at least two physical interfaces to be assigned before it can be activated. • The AE interface supports LACP but does not support static EtherChannel configuration. • AE interfaces cannot be used in high availability (HA) configurations.

You are tasked with configuring GlobalProtect on a Palo Alto Networks Next-Generation Firewall to provide secure remote access for users. Which two of the following steps are mandatory when setting up a functional GlobalProtect deployment? (Choose two). • Enable SSL/TS decryption on the external interface. • Assign an IP Pool to the GlobalProtect Gateway. • Create and configure a GlobalProtect Portal. • Configure User-ID to authenticate remote users. • Configure a Security Policy to allow GlobalProtect traffic.

An enterprise wants to configure its Palo Alto Networks Next-Generation Firewall (NGFW) to function as a web proxy for HTTP and HTTPS traffic. Which of the following configurations is required for enabling Explicit Web Proxy on PAN-OS?. • Enable Explicit Web Proxy and define an Explicit Proxy Service rule. • Create a NAT rule that translates outbound web traffic to a designated proxy IP. • Enable SSL Forward Proxy decryption without configuring explicit proxy settings. • Configure a security policy allowing HTTP/HTTPS traffic through the firewall.

A company is transitioning from an on-premises Active Directory-based User-ID setup to the Palo Alto Networks Cloud Identity Engine (CIE) for user context in security policies. Which of the following statements is true regarding Cloud Identity Engine?. • It requires an on-premises firewall to act as a proxy for user authentication. •It does not support integration with Microsoft Azure Active Directory (Azure AD). • It enables identity-based security policies without requiring User-ID agents on-premises. • It is only compatible with on-premises Active Directory and cannot integrate with cloud identity providers.

You are troubleshooting a Border Gateway Protocol (BGP) issue on a Palo Alto Networks firewall running PAN-OS. The firewall is receiving multiple routes to the same destination from different BGP peers. Which BGP attribute is first considered in the path selection process when multiple paths exist?. • Next-Hop IP Address. • AS-Path Length. • Community String. • Local Preference.

An administrator. wants to secure web-based management access to the firewall using an SSL/TLS certificate. Which two of the following actions are required? (Choose two). • Configure a certificate profile for outbound SSL traffic. • Enable the certificate for SSL Forward Proxy decryption. • Generate or import an SSL/TLS certificate on the firewall. • Assign the certificate to the firewall's management interface. • Assign the certificate to a security policy rule.

An enterprise IT team is responsible for managing hundreds of Palo Alto Networks firewalls deployed across multiple locations. To ensure consistent security policies while still allowing location-specific configurations, they decide to use Panoramas device group feature. Which of the following statements best describes how Panorama applies security policies using device groups and rule hierarchy?. • Pre-rules in Panorama apply only if no conflicting local firewall rules exist. • Pre-rules set in Panorama take precedence over firewall-specific security rules. • Post-rules configured in Panorama apply only to firewalls running in Active/Passive HA mode. • Post-rules created on a local firewall override pre-rules configured in Panorama.

An enterprise security engineer is tasked with deploying Palo Alto Networks VM-Series firewalls in a VMware NSX-T environment. The solution must: Enable dynamic policy updates based on VM metadata Support automated provisioning for new workloads Integrate with NSX-T Distributed Firewall (DFW) Ensure high availability and minimal manual intervention Which deployment approach best meets these requirements?. • Deploy VM-Series manually in each ESXi host and configure NSX-T security groups manually. • Deploy VM-Series using Panorama with the VM-Series NSX-T Plugin, enabling automatic policy enforcement based on security tags. • Use Sphere to deploy VM-Series OVF templates manually and configure NSX-T integration later. • Deploy VM-Series firewalls as standalone VMs in a management cluster and route traffic through them manually.

An engineer is setting up GlobalProtect VPN on a Palo Alto Networks firewall to enable secure remote access. The engineer wants to use a certificate for mutual authentication between the GlobalProtect client and the firewall. Which of the following is the correct approach to configuring certificates for this purpose?. • Import a wildcard certificate and use it for both the GlobalProtect gateway and portal authentication. • Generate a self-signed certificate on the firewall and configure it as both the client and server certificate for GlobalProtect authentication. • Use a certificate issued by an internal or external CA, ensuring that the firewalls certificate is trusted by the client, and the client certificate is trusted by the firewall. • Use an SSL/TLS certificate from a public CA on the firewall, but do not require client certificates for authentication.

You are configuring two Palo Alto Networks firewalls in Active/Active HA mode for a large enterprise data center. Both firewalls must process traffic simultaneously and maintain session state across peers. Which of the following is required to enable symmetric traffic flow and ensure session consistency in this deployment?. • Configure the firewalls in Virtual Wire mode. • Assign static MAC addresses to all AE interfaces. • Use floating IP addresses for data interfaces. • Enable session owner synchronization only.

An administrator is setting up a VPN tunnel between two Palo Alto Networks firewalls. To properly configure the tunnel, which of the following steps is required when setting up a tunnel interface?. • Enable tunnel monitoring to establish a bidirectional VPN tunnel. • Assign the tunnel interface an IP address if dynamic routing is used. • Assign the tunnel interface to a virtual wire for packet forwarding. • Bind the tunnel interface to an IPsec profile for encryption.

A network administrator is tasked with automating security policy creation on a Palo Alto Networks Next-Generation Firewall (NGFW). The administrator wants to use the PAN-OS REST API to create, update, and delete security rules programmatically. Which of the following steps must be taken to successfully authenticate and execute API requests to configure security policies?. • Generate an API key using a user account with the necessary role-based access control (RBAC) permissions. • Enable HTTP access to the firewalls management interface to facilitate API requests. • Use the administrator's password in plain text within the API request for authentication. • Store API keys in publicly accessible repositories to simplify authentication management.

An organization wants to deploy GlobalProtect on their Palo Alto Networks firewall to provide secure remote access for employees. The security team needs to configure a GlobalProtect Gateway on the firewall. Which of the following steps is required to successfully configure a functional GlobalProtect Gateway?. • Enable User-ID on the firewall to authenticate GlobalProtect users before they connect to the Gateway. • Create a Security Policy Rule that blocks GlobalProtect traffic to prevent unauthorized access. • Create a GlobalProtect Gateway and specify an SSL/TLS Service Profile for authentication and encryption. • Configure an External Dynamic List (EDL) to allowlist GlobalProtect client IP addresses.

You are configuring Active/Active High Availability (HA) on two Palo Alto Networks firewalls and need to ensure session synchronization and proper failover behavior. Which configuration step is required for Active/Active HA to function correctly?. • Enable Active/Active Layer 3 forwarding to ensure only one firewall processes traffic at a time. • Enable a floating virtual MAC address to ensure traffic continuity during failover. • Assign a HA3 link to synchronize sessions between the two firewalls. • Configure only one firewall to handle traffic, while the second firewall remains idle until a failover occurs.

A network security engineer is configuring a Security Policy Rule on a Palo Alto Networks Next-Generation Firewall (NGFW) running PAN-OS. The engineer wants to ensure that logs are generated for both allowed and denied traffic to maintain comprehensive visibility. Which of the following configurations will achieve this requirement?. • Enable logging at session start for Allow rules and logging at session end for Deny rules.?. • Enable logging at session end for both the Allow and Deny rules in the Security Policy. • Enable logging at session start and disable logging at session end for all Security Policy rules. • Logs are always generated for all rules by default, so no additional configuration is needed.

While testing failover in an Active/Passive HA deployment of two Palo Alto firewalls, you observe that the failover takes longer than expected and results in loss of session persistence. Which of the following misconfigurations would most likely cause this issue?. • HA2 link is down or not properly configured between the peers. • Device priorities are set equally on both firewalls. • HA1 backup is used instead of primary HAl interface for control plane sync. • Passive firewall is missing an interface for HA3 data link.

An organization with multiple Palo Alto Networks firewalls wants to centralize log storage and management using Dedicated Log Collectors. The administrator needs to ensure that log collection is efficient and scalable across all firewalls. What is the correct way to configure log collection using Log Collectors in PAN-OS?. • Enable log forwarding in the security policies of each firewall without specifying a Log Collector. • Manually download logs from each firewall and upload them to the Log Collector for centralized storage. • Assign each firewall a unique logging disk quota, so it can send logs to different Log Collectors dynamically. • Configure each firewall to forward logs to a Log Collector by specifying its IP address in the Logging Settings.

A company is deploying multiple Palo Alto Networks NGFW instances across a multi-cloud environment. The network operations team wants to use Infrastructure-as-Code (laC) tools such as Terraform and Ansible to ensure consistent and scalable deployment. Which approach is the most effective way to deploy and configure multiple Palo Alto NGFWs using Terraform and Ansible?. • Use Ansible to create cloud firewall instances and Terraform to push configuration updates. • Use Terraform to provision firewall instances in cloud environments and Ansible to configure security policies dynamically. • Use Terraform only, as it supports both firewall provisioning and configuration without requiring Ansible. • Manually deploy the firewalls and use Ansible to automate only system updates and patches.

A security team is automating Palo Alto Networks firewall management using the Panorama API in an on-premises environment. They need to automate policy updates while ensuring security and consistency. Which two actions should they take? (Choose two. • Configure Syslog forwarding on Panorama to automate configuration changes. • Use REST API calls to retrieve, modify, and push security policies from Panorama. • Set up Scheduled Push Jobs in Panorama to deploy updates to managed firewalls. • Leverage Panorama XML API to programmatically create and modify security rules. • Enable SNMP Traps to trigger automatic policy updates when a network change occurs.

A security team is automating Palo Alto Networks firewall management using the Panorama API in an on-premises environment. They need to automate policy updates while ensuring security and consistency. Which two actions should they take? (Choose two. • Configure Syslog forwarding on Panorama to automate configuration changes. • Use REST API calls to retrieve, modify, and push security policies from Panorama. • Set up Scheduled Push Jobs in Panorama to deploy updates to managed firewalls. • Leverage Panorama XML API to programmatically create and modify security rules. • Enable SNMP Traps to trigger automatic policy updates when a network change occurs.

An administrator is configuring security zones on a Palo Alto Networks firewall that has two virtual systems (VSYS1 and VSYS2). The administrator wants to ensure traffic can flow between zones in the same VSYS but remain isolated between SYS instances: What is the correct approach?. • The same security zone name in both VSYS instances will allow traffic to flow between them automatically. • Inter-VSYS routing must be enabled to allow communication between zones in different VSYS instances. • Security zones are only relevant in Layer 3 mode and do not apply to Layer 2 or virtual wire interfaces. • Each VSYS has its own security zones, and traffic cannot pass between VSYS instances by default.