A. Local database authentication
C. Kerberos single sign-on
E. Cloud authentication service

Explanation:

Why These Options?
1.Local Database Authentication (A):
The firewall stores usernames/passwords locally (Device > Administrators).
Used for admin login or captive portal authentication.

2.Kerberos Single Sign-On (C):
Integrates with Active Directory for seamless authentication (e.g., for User-ID or captive portal).
Users are automatically authenticated via their domain credentials.

3.Cloud Authentication Service (E):
Supports SAML, OAUTH, or LDAP via cloud providers (e.g., Azure AD, Okta).
Used for GlobalProtect, admin login, or captive portal.

Why Not Others?
B. PingID
This is a specific MFA product, not a general authentication type (it would fall under cloud authentication).
D. GlobalProtect Client
This is a VPN client, not an authentication method (it uses other methods like SAML or local DB).

Reference:
Palo Alto Authentication Guide:
"Local, Kerberos, and cloud authentication are core methods for user verification."

B. It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama

Explanation:
The AIOps Plugin for Panorama is designed to proactively validate firewall and Panorama configuration changes against Palo Alto Networks best practices before they are committed. This helps administrators:
Avoid misconfigurations that could weaken security.
Get real-time feedback and recommendations during the commit process.
Strengthen overall security posture by enforcing Best Practice Assessment (BPA) guidelines at the time of configuration changes.

❌ Why other options are incorrect:
A. Incorrect
→ The plugin does not auto-push configurations; administrators still control commits.
C. Incorrect
→ It does not auto-correct failed BPA rules; it only provides advisory recommendations.
D. Incorrect
→ It checks before and during commit, not just retroactively after commits.

📖 Reference:
Palo Alto Networks – AIOps for NGFW Overview
AIOps Plugin for Panorama proactively enforces best practices by validating new commits and providing recommendations before pushing configurations.

D. Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

Explanation:
When deploying User-ID through server monitoring, Palo Alto Networks supports monitoring login events from several directory service platforms to map users to IP addresses. The supported platforms include:

Microsoft Active Directory (AD):
The most common source for User-ID mapping. The firewall or User-ID agent monitors security event logs on domain controllers to capture login events (e.g., Kerberos ticket grants, logon success).
Microsoft Exchange:
Can be monitored for client access logs, which provide additional user-IP mapping data. Useful when users access email services and AD logs are insufficient.
Novell eDirectory:
Supported via the User-ID agent, which can monitor eDirectory logs for login events. This enables integration in environments using non-Microsoft directory services.
These platforms are explicitly listed in Palo Alto’s User-ID Server Monitoring documentation.

❌ Why the other options are incorrect
A & C (Red Hat Linux):
Linux systems like Red Hat are not directly supported for server monitoring via User-ID. You can use syslog-based methods to collect login events, but not via the server monitoring feature.
B (Microsoft Terminal Server):
Terminal Server support is handled via TS Agent, not server monitoring. It’s a separate mechanism for mapping users in multi-user environments.

B. HIP Match
D. Configuration

Explanation:
Based on PAN-OS 11.0 documentation, the forwarding configuration for specific log types in Device > Log Settings involves selecting log types for system-level logs, which include HIP Match and Configuration logs.
Explanation for Each Option
A. Threat

• Threat logs record detected security threats such as malware, viruses, and vulnerabilities.
• Forwarding of Threat logs is not configured in Device > Log Settings. Instead, Threat logs are forwarded using Log Forwarding Profiles applied to Security Policies.
• Verdict: Incorrect.

B. HIP Match

• HIP Match logs capture information about endpoint compliance reported by GlobalProtect clients.
• These logs can be configured for forwarding in Device > Log Settings for monitoring and compliance purposes.
• Verdict: Correct.

C. Traffic

• Traffic logs provide details about allowed or denied network traffic.
• Forwarding of Traffic logs is configured using Log Forwarding Profiles applied to Security Policies, not in Device > Log Settings.
• Verdict: Incorrect.

D. Configuration

• Configuration logs track administrative changes to the firewall, such as updates to policies, settings, and objects.
• These logs can be forwarded from Device > Log Settings for auditing purposes.
• Verdict: Correct.

Correct Answer
B. HIP MatchD. Configuration

A. Click the hyperlink for the Zero Access.Gen threat

Explanation:
When using the Application Command Center (ACC) to investigate Blocked User Activity and identify users potentially compromised by a botnet, the most effective method is to click the hyperlink for the Zero Access.Gen threat. This action sets a global filter that narrows down all related traffic, users, and sessions associated with that specific threat.
In the screenshot, ZeroAccess.Gen Command and Control Traffic is listed as a critical spyware threat with a botnet category and a high count. Clicking its hyperlink allows the administrator to:
Apply a global filter across the ACC
View all sessions, users, and source IPs tied to this threat
Drill down into logs and threat details for forensic analysis
This is the fastest and most precise way to isolate compromised users and take remediation steps.

❌ Why Other Options Are Incorrect:
B.Click the left arrow beside the Zero Access.Gen threat This expands the row for more details but does not apply a global filter. It’s useful for viewing metadata but not for narrowing down user activity.

C. Click the source user with the highest threat count This shows user-specific data but does not isolate the botnet threat. It’s reactive and less targeted than filtering by threat.

🔗 Valid References:
Palo Alto Networks Knowledge Base: Tips & Tricks: How to Use the Application Command Center (ACC)
Exam4Training PCNSE Practice: Best Method to Set Global Filter in ACC

A. Minimum TLS version
B. Certificate
D. Maximum TLS version

Explanation:
To enable secure Web UI access on a Palo Alto Networks firewall via a trusted interface, the administrator must configure an SSL/TLS Service Profile with the following key settings:

Certificate
This is the server certificate used to authenticate the firewall to the browser.
It must be valid and trusted by client systems to avoid certificate warnings.
You can import a third-party certificate or generate one on the firewall.

Minimum TLS Version
Defines the lowest TLS protocol version allowed for secure connections.
Recommended to set this to TLS 1.2 or higher to avoid weak protocols.

Maximum TLS Version
Defines the highest TLS protocol version supported.
For management access, TLS 1.3 is supported and preferred for stronger security.
These three settings ensure that the Web UI uses a trusted certificate and secure protocol versions, which are essential for encrypted management access.

❌ Why the Other Options Are Incorrect:
C. Encryption Algorithm
→ Not directly configurable in the SSL/TLS Service Profile. Cipher suites are automatically selected based on the TLS versions.
E. Authentication Algorithm
→ Not a setting in SSL/TLS Service Profiles. Authentication is handled separately via admin credentials or certificate-based auth.

References:
Configure an SSL/TLS Service Profile – Palo Alto Networks
Secure Web-GUI Access Using Certificates – Knowledge Base

C. Destination Domain
D. video streaming application

Explanation:
GlobalProtect split tunneling allows administrators to define which traffic is sent through the VPN tunnel (to be inspected by the firewall) and which traffic is sent directly to the internet. The three supported methods for creating these rules are:

1.B. URL Category:
Traffic destined for websites belonging to a specific URL category (e.g., "financial-services," "health-and-medicine," "not-resolved") can be either tunneled or excluded from the tunnel.
2.C. Destination Domain:
Traffic destined for a specific fully qualified domain name (FQDN) (e.g., sensitive-app.corp.com) can be matched and the tunnel action applied.
3.F. Client Application Process:
Traffic generated by a specific application process running on the endpoint (e.g., my_browser.exe, company_erp.exe) can be forced through the tunnel or allowed to go direct.

Why the Other Options Are Incorrect:
A. Destination user/group:
Split tunnel rules are based on network traffic characteristics (domain, IP, URL, application), not on the user identity. User/Group is used elsewhere in GlobalProtect for authentication and connection policies, but not for defining split tunnel traffic matches.
D. Video streaming application:
This is a specific use case, not a configurable matching criterion. While you could create a rule based on the URL category "streaming-media" or the application "netflix," "video streaming application" itself is not a selectable option in the split tunnel configuration.
E. Source Domain:
Split tunnel policies are concerned with the destination of the traffic (where it's going), not its source domain. The source is always the GlobalProtect client.

Reference:
Palo Alto Networks Administrator Guide | GlobalProtect | Gateway Configuration | Split Tunnel:
The official documentation lists the specific Include List and Exclude List criteria for split tunneling, which are: IP Address, Domain, URL Category, and Application. "Application" here refers to the Client Application Process.