C. Certificate Profile
D. CA certificate

Explanation:
To configure certificate-based authentication for administrator access to the web UI on a trusted interface, two key components are required:

✅ C. Certificate Profile
This profile defines how the firewall validates client certificates.
It specifies the CA certificate used to verify the client certificate and maps certificate fields (e.g., Subject) to usernames.
Configured under Device > Certificate Management > Certificate Profile.

✅ D. CA Certificate
This is the root or intermediate certificate that signed the administrator’s client certificate.
It must be imported or generated on the firewall and added to the Certificate Profile.
Used to validate the authenticity of the client certificate during login.

❌ Why Other Options Are Incorrect:
A. Server Certificate Required for SSL/TLS encryption, not for client certificate authentication. It secures the web UI but doesn’t validate admin identity.
B. SSL/TLS Service Profile Used to bind the server certificate to the web interface. It’s necessary for HTTPS access but not directly involved in certificate-based authentication logic.

🔗 Valid References:
Palo Alto Networks TechDocs: Configure Certificate-Based Administrator Authentication to the Web Interface
Pass4Success PCNSE Discussion: Certificate-Based Authentication Requirements

B. Custom Log Format within Device Server Profiles> Syslog

Explanation:
The question asks where to define additional information to be included in each forwarded log. This is the exact purpose of a Custom Log Format.

Here’s the breakdown:
1.Location: The path is Device > Server Profiles > Syslog. Here, you create or edit a syslog server profile that defines where to send the logs.
2.Feature: Within each syslog server profile, there is a section called "Custom Log Format".
3.Function: This feature allows you to build a custom template for the log message that will be sent to the syslog server. You can add, remove, and rearrange the fields (variables) that are included in the log.
You can add fields that are not in the standard format, such as action, app-category, rule-name, src-vm-name, dst-vm-name, and many more.
This provides the flexibility to include the exact "additional information" requested by the audit team.

Steps to Configure:
Navigate to Device > Server Profiles > Syslog.
Edit an existing profile or create a new one.
Click the "Custom Log Format" toggle to enable it.
Use the drop-down menus to add the desired fields to the log format template.

Detailed Analysis of the Other Options:
A. Data Patterns within Objects > Custom Objects
Why it's wrong: Data Patterns are used to define custom strings of data (like credit card numbers or employee IDs) for use in Data Filtering profiles to detect and prevent data exfiltration. They are not used to modify the structure or content of log messages sent to syslog.
C. Built-in Actions within Objects > Log Forwarding Profile
Why it's wrong: This is a distractor. There is no menu called "Objects > Log Forwarding Profile". Log forwarding profiles are server profiles created under Device > Server Profiles > Syslog. "Built-in Actions" is not a term associated with log formatting.
D. Logging and Reporting Settings within Device > Setup > Management
Why it's wrong: This path (Device > Setup > Management) is where you configure fundamental logging parameters, such as:
The number of logs to store on the firewall.
The log export schedule.
The IP address of the Panorama management server.
It does not contain any settings for customizing the content or format of individual log messages forwarded to a syslog server.

Reference & Key Takeaway:
Core Concept: Understanding the difference between where to send logs (the server profile) and what to send (the log format). The Custom Log Format feature gives you granular control over the "what".
Use Case: This is essential for integration with third-party SIEM systems that may require a specific log format or need additional contextual fields for correlation and analysis.
Syntax: The custom format uses variables like $action, $rule, etc., to represent the data fields in the log message.

B. > set session tcp-reject-non-syn no
D. # set deviceconfig setting session tcp-reject-non-syn no

Explanation:
Palo Alto Networks firewalls, by default, perform stateful inspection. This means they expect to see the complete TCP three-way handshake (SYN, SYN-ACK, ACK) for a session to be established and traffic to be allowed. In an asymmetric routing environment, the firewall might see only one direction of the traffic, such as the SYN packet on the way out but not the SYN-ACK on the way back. When the firewall later sees an ACK or data packet for a session it doesn't recognize as established, it drops the packet with a "TCP non-SYN" reject log message.
To resolve this issue without changing the network's routing, you must disable this strict enforcement. This can be done using one of two methods:

1.Command Line Interface (CLI):
The command set deviceconfig setting session tcp-reject-non-syn no disables the rejection of non-SYN TCP packets. This is a global setting that affects all TCP sessions on the firewall. The command can be abbreviated as set session tcp-reject-non-syn no.
2.Web Interface (GUI):
This setting can also be configured in the GUI under Device > Setup > Session Settings. Here, you would uncheck the Reject Non-SYN TCP option.
The provided options B and D are simply different ways of expressing the correct CLI command. set session tcp-reject-non-syn no is the standard command, while # set deviceconfig setting session tcp-reject-non-syn no includes the full path and the # symbol, which is often used to denote a command run from a configuration mode. Both achieve the same result.

❌ Why the Other Options are Incorrect
A and C: Options A and C describe modifying Zone Protection Profiles. While these profiles are used to prevent certain types of attacks, they are not the correct place to handle asymmetric routing. The "Reject Non-syn-TCP" setting within a Zone Protection Profile is designed to prevent SYN floods and other packet-based attacks from non-SYN packets. It's a security feature that is a subset of the global session setting and is not intended to resolve asymmetric routing issues. The global session setting is the correct way to handle this persistent network architecture problem. Additionally, the "Asymmetric Path" setting in Zone Protection Profiles is related to path changes within a single session, not to a persistent asymmetric routing problem.

📚 Reference
This topic is a key part of the PCNSE exam's Troubleshooting domain. The documentation for Palo Alto Networks firewalls, specifically the sections on Session Settings and Troubleshooting Asymmetric Routing, provides detailed information on this configuration. The ability to use both the CLI and GUI to make these changes is an important skill tested on the exam.

A. Click Session Browser and review the session details.

Explanation:
The Session Browser is the most direct and real-time tool within the GUI to inspect active traffic flows and see exactly which policies are applied to them, including the NAT policy.

Here’s how to do it:
Navigate to the Monitor tab.
Click Session Browser.
Locate the session for the internet traffic in question. You can use filters (source/destination IP, port, etc.) to find it quickly.
Select the session and click on the tiny, right-facing arrow on the left side of the entry to expand it and view the Session Details.
In the detailed view, look for the NAT Policy field. This field will explicitly show the name of the NAT policy that was applied to this session.
This method provides a live, precise view of the policy applied to an active flow.

Detailed Analysis of the Other Options:
B. Click Traffic view and review the information in the detailed log view.
Why it's less ideal: The Traffic logs also contain NAT policy information. However, this method requires waiting for the session to end and be written to the log, then searching through historical data. The Session Browser provides immediate results for active sessions, making it the more efficient and direct tool for this specific task.
C. Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.
Why it's less ideal: While technically correct that the Traffic logs contain this information (in fields like NAT Source IP and NAT Destination IP), it shares the same drawback as option B: it is not real-time. It relies on logged data. The Session Browser is the preferred GUI tool for investigating active flows.
D. Click App Scope > Network Monitor and filter the report for NAT rules.
Why it's wrong: App Scope is a reporting and analytics tool for understanding application and network usage trends over time. It is not designed for the granular task of identifying which specific NAT policy is being applied to a single, specific traffic flow. You cannot "filter for NAT rules" in a way that shows the policy name applied to a session.

PCNSE Exam Reference & Key Takeaway:
Core Concept: Knowing the right tool for the job within the Monitor tab.
Session Browser: For real-time inspection of active sessions (policies applied, NAT details, bytes transferred).
Traffic Logs: For historical analysis of ended sessions.
App Scope: For high-level trend reporting and usage analysis.
Troubleshooting: The Session Browser is the first place to go when you need to verify why a live traffic flow is behaving a certain way (e.g., Is the right NAT policy applied? Is the traffic hitting the expected security rule?).
CLI Equivalent: The CLI command show session all filter provides similar real-time information and will also show the NAT rule ID.

D. Disable ALG under SIP application

Explanation:

Why Disable SIP ALG?
1.The Problem:
The firewall is modifying SIP/H.323 payloads (e.g., NATing internal IPs/ports in VoIP packets).
This breaks VoIP signaling, as endpoints expect original headers for media negotiation.
2.The Cause:
SIP ALG (Application Layer Gateway) is enabled by default on NGFWs.
ALG inspects and rewrites SIP/H.323 packets, often misinterpreting VoIP traffic.
3.The Fix:
Disabling SIP ALG stops the firewall from:
Altering SIP packet payloads.
Opening incorrect dynamic pinholes for RTP/RTCP media streams.

Steps to Disable SIP ALG:
Navigate to: Device > Setup > Session
Under Application Identification, uncheck:
SIP (and optionally H.323 if used).

Why Not Other Options?
A.H.323 ALG is unrelated if SIP is the primary VoIP protocol.
B/C.Timeout adjustments don’t fix NAT-induced payload corruption.

Additional VoIP Best Practices:
Use dedicated SIP security profiles (e.g., allow only SIP/RTP/RTCP).
Ensure NAT policies exclude VoIP traffic (or use static NAT).

Reference:
Palo Alto VoIP Troubleshooting Guide:
"Disable SIP ALG when endpoints handle NAT traversal independently (e.g., via STUN/ICE)."

D. Select 'Show all signatures' within the Vulnerability Protection Profile under 'Exceptions'.

Explanation:
When a Threat ID is missing from the Vulnerability Protection Profile exceptions tab, the most operationally efficient action is to enable the 'Show All Signatures' option. This reveals all available threat signatures, including those that are disabled by default, not currently triggered, or not visible due to UI filtering.

This step allows the engineer to:
Quickly locate the Threat ID
Add an exception without needing CLI or support intervention
Avoid service disruption caused by false positives
This is a GUI-based solution that requires no downtime and is the fastest path to resolution.

❌ Why Other Options Are Incorrect:
A. Review high severity system logs Logs may show the threat event but won’t help expose the missing Threat ID in the exceptions tab.
B. Open a support case Time-consuming and unnecessary for a known UI behavior. Only needed if the Threat ID is truly unsupported or absent from the content package.
C. Review traffic logs to add the exception from there Traffic logs show the threat event but do not allow direct exception creation. You still need to locate the Threat ID in the profile manually.

References:
Palo Alto Networks KB – Missing Threat ID in Vulnerability Protection Profile
Marks4Sure PCNSE Practice – Threat Exception Efficiency

C. Add the template as a reference template in the device group

Explanation:
In Panorama, when creating policies for a device group and template stack, the zone dropdown list will only show zones that are defined in the template and associated with a firewall. If no firewall is added to both the device group and the template, Panorama cannot correlate the zone definitions with a real device, and the dropdown will appear incomplete.

To fix this:
Ensure that the firewall is added to both:
The device group (for policy management)
The template (for interface and zone definitions)
This allows Panorama to correctly populate zone objects in the policy editor.

❌ Why Other Options Are Incorrect:
A. Specify the target device as the master device in the device group This is used for reference configuration comparison, not for zone population.
B. Enable "Share Unused Address and Service Objects with Devices" This affects object sharing, not zone visibility.
C. Add the template as a reference template in the device group Reference templates are used for inheritance, not for linking zones to policies.

🔗 Reference:
Exam4Training PCNSE Question
Palo Alto Networks KB: New Zone Not Visible in Panorama