PBF can address which two scenarios? (Choose two.)
A. Routing FTP to a backup ISP link to save bandwidth on the primary ISP link
B. Providing application connectivity the primary circuit fails
C. Enabling the firewall to bypass Layer 7 inspection
D. Forwarding all traffic by using source port 78249 to a specific egress interface
Explanation:
Policy-Based Forwarding (PBF) allows you to override the routing table and force traffic to take a specific path based on:
Source/Destination IP/Port
Application/Protocol (e.g., FTP)
ToS (Type of Service) field
Why These Answers Are Correct:
A: PBF can route specific traffic (e.g., FTP) to a backup ISP to conserve bandwidth on the primary link.
B: If the primary ISP fails, PBF can redirect traffic to a secondary circuit for failover.
Why the Others Are Incorrect:
C: PBF does not bypass Layer 7 inspection (App-ID/Content-ID still apply).
D: PBF can forward traffic based on source port, but this is not a typical use case (usually based on application, destination, or failover needs).
Reference:
Palo Alto PBF Documentation
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
A. Application filter
B. Application override policy rule
C. Security policy rule
D. Custom app
Explanation:
Application Override allows administrators to force the firewall to treat traffic as a specific application, bypassing App-ID if necessary. This is useful when:
The firewall misidentifies an application.
An application uses non-standard ports.
Why These Answers Are Correct:
B. Application Override Policy Rule
Defines which traffic should be reclassified as a different application.
Requires:
Original application (e.g., ssl)
Override application (e.g., facebook-base)
Source/destination criteria.
C. Security Policy Rule
Must allow the traffic (either the original or overridden application).
Without a security rule permitting the traffic, it will still be blocked.
Why the Others Are Incorrect:
A. Application Filter → Used for monitoring/reporting, not overriding.
D. Custom App → Not required unless you’re creating a new application (not overriding an existing one).
Reference:
Palo Alto Application Override Docs
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a
planned Decryption roll out. The administrator has also installed the self-signed root
certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received
unsecured website warnings.
What is the cause of the unsecured website warnings?
A. The forward untrust certificate has not been signed by the self-singed root CA certificate.
B. The forward trust certificate has not been installed in client systems.
C. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
D. The forward trust certificate has not been signed by the self-singed root CA certificate.
Explanation:
In a Palo Alto Networks SSL Forward Proxy decryption setup, there are three important certificate components involved:
1. Self-signed Root CA Certificate – Used to sign all forward trust and forward untrust certificates.
2. Forward Trust Certificate – Used by the firewall to sign certificates for trusted sites that it intercepts and decrypts.
3. Forward Untrust Certificate – Used by the firewall to sign certificates for untrusted sites.
To avoid browser warnings during decryption:
Clients must trust the root CA certificate.
The forward trust and forward untrust certificates must be signed by the root CA certificate.
In the scenario:
The administrator installed the self-signed root CA in all clients — ✔️ correct step.
But users are still receiving warnings when visiting SSL sites — 🚫 problem.
The most likely cause is that the firewall is using a forward trust certificate that is not signed by the root CA, so browsers don’t recognize the certificate chain and display "unsecured website" warnings.
❌ Why the other options are incorrect:
A. The forward untrust certificate doesn’t need to be trusted by clients because it’s meant to signal untrusted sites. This wouldn’t cause warnings for all sites.
B. Clients don’t need the forward trust certificate installed — they just need to trust the root CA that signed it.
C. Having the same CN on multiple certificates isn’t recommended but won’t directly cause SSL warnings unless there's a trust chain issue.
🔍 Reference:
Palo Alto Networks Documentation:
Configure SSL Forward Proxy
Generate a Certificate
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
A. Voice
B. Fingerprint
C. SMS
D. User certificate
E. One-time password
Explanation:
The Palo Alto Networks firewall supports several methods for multi-factor authentication (MFA) to enhance the security of administrative access (WebUI, SSH, etc.) and, in some cases, user-based policies. The key is that the MFA method must be integrated and validated by an external authentication server (like a RADIUS server) that the firewall can communicate with.
C. SMS:
This is a common MFA method. The firewall itself doesn't send the SMS. Instead, it forwards the authentication request to a RADIUS server, which is integrated with an SMS gateway service (e.g., Duo, Azure MFA). The server handles sending the code to the user's phone, validating the code entered by the user, and then sending an accept/reject response back to the firewall.
D. User certificate:
User certificates are a strong form of authentication based on public key infrastructure (PKI). The firewall can be configured to require a valid, trusted user certificate to be presented by the client (e.g., the administrator's browser) in addition to a username and password. This constitutes two factors: "something you have" (the private key of the certificate) and "something you know" (the password).
E. One-time password (OTP):
This is a standard and widely supported MFA factor. The firewall uses an authentication server (like RADIUS) that supports time-based one-time passwords (TOTP) or HMAC-based one-time passwords (HOTP). The user has an authenticator app (like Google Authenticator, Microsoft Authenticator, or a hardware token) that generates the code, which the authentication server validates.
Why the other options are incorrect:
A. Voice:
While some advanced MFA providers might offer a voice call-back feature as part of their service, this is not a standard, directly configurable MFA method on the firewall itself. The firewall's authentication mechanism does not have a built-in component to initiate and validate voice calls. The primary communication is with an authentication server using protocols like RADIUS.
B. Fingerprint:
Biometric authentication like a fingerprint is a form of "something you are." The firewall's operating system (PAN-OS) does not have built-in support for biometric readers or the software to validate fingerprints. This factor cannot be used directly to authenticate to the firewall's management interface.
Reference:
The Palo Alto Networks Administrator's Guide section on "Multi-Factor Authentication" explains that the firewall relies on external authentication servers (e.g., RADIUS) to perform the actual validation of the second factor. The supported methods are those that these standard servers can process, such as OTP, SMS via a gateway, and certificate-based authentication.
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
A. Perform a commit force from the CLI of the firewall.
B. Perform a template commit push from Panorama using the "Force Template Values" option.
C. Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.
D. Reload the running configuration and perform a Firewall local commit.
Explanation:
The core of this problem is resolving a configuration conflict between Panorama (the central manager) and a local firewall. When a setting is configured in both Panorama's template and locally on the firewall, it creates a "override." The requirement is to enforce Panorama's configuration and prevent any local deviations.
The "Force Template Values" option is specifically designed for this purpose. When you perform a template push with this option selected, Panorama will overwrite all local firewall configurations that are defined in the template, effectively removing the local overrides and ensuring the firewall's configuration matches Panorama's template exactly.
Why this works: It directly addresses the requirement to "meet this requirement" by eliminating the local override and establishing Panorama as the single source of truth for that template's settings.
Why the other options are incorrect:
A. Perform a commit force from the CLI of the firewall.
A commit force is used to override a pending commit that is locked by another user or process. It does not resolve the conflict between Panorama and the local configuration. In fact, doing this from the firewall would commit the local override, making the problem worse from Panorama's perspective.
C. Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.
This option simply ensures that both the Device Group (e.g., security policies, objects) and Template (e.g., interfaces, zones) configurations are pushed together. It does not forcibly overwrite local overrides. If there is a local override, this push may still fail or require manual resolution.
D. Reload the running configuration and perform a Firewall local commit.
Reloading the configuration (e.g., a load config) would just re-read the existing configuration, which includes the local override. A local commit would then solidify that override. This action does nothing to align the firewall with Panorama and would further entrench the local change.
Reference:
Panorama Force Template Values Documentation
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?
A. TCP Fast Open in the Strip TCP options
B. Ethernet SGT Protection
C. Stream ID in the IP Option Drop options
D. Record Route in IP Option Drop options
Explanation:
Cisco TrustSec and SGT (Security Group Tags)Cisco TrustSec is a security framework that uses Security Group Tags (SGTs) embedded in Layer 2 Ethernet frames to enforce policy-based segmentation
.
These SGTs are carried in the Cisco Metadata Exchange (CMDX) or IEEE 802.1AE (MACsec) frames and are used for dynamic access control.
Zone Protection Profile & Ethernet SGT Protection
Palo Alto firewalls can inspect and enforce policies based on SGT tags when Ethernet SGT Protection is enabled in the Zone Protection profile.
This setting ensures that:
The firewall identifies and validates SGT-tagged packets.
It can drop, allow, or alert based on the configured action.
Why Not the Other Options?
A. TCP Fast Open (Strip TCP Options)
→ Unrelated to TrustSec (deals with TCP optimization).
C. Stream ID (IP Option Drop)
→ Pertains to IPv4 header options, not Layer 2 SGT.
D. Record Route (IP Option Drop)
→ Also an IPv4 header option, not relevant to TrustSec.
Reference:
Palo Alto Networks Admin Guide (Zone Protection Profile):
Describes Ethernet SGT Protection as the correct setting for handling Cisco TrustSec packets.
Found under:
Network > Network Profiles > Zone Protection > Ethernet SGT Protection
A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)
A. SSL/TLS Service
B. HTTP Server
C. Decryption
D. Interface Management
Explanation:
To properly implement URL Filtering with override actions, the firewall must inspect encrypted (HTTPS) traffic. This requires:
A. SSL/TLS Service Profile
Defines which SSL/TLS versions and cipher suites are allowed.
Ensures the firewall can properly decrypt and inspect traffic.
C. Decryption Profile
Specifies decryption rules (e.g., forward trust, forward untrust).
Required for SSL decryption, which is necessary for URL Filtering to analyze HTTPS traffic.
Why the Others Are Incorrect:
B. HTTP Server Profile → Used for firewall management access (GUI/API), not URL Filtering.
D. Interface Management Profile → Controls management access to interfaces, unrelated to decryption.
Reference:
Palo Alto URL Filtering with Decryption
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?
A. Install the unsupported cipher into the firewall to allow the sites to be decrypted
B. Allow the firewall to block the sites to improve the security posture.
C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
D. Create a Security policy to allow access to those sites.
Explanation:
When planning SSL decryption, there are cases where certain websites cannot be decrypted due to technical limitations, such as:
Use of unsupported ciphers
Use of client certificate authentication
Certificate pinning
Forward secrecy algorithms that the firewall doesn't support
If the firewall tries to decrypt these sessions and fails, it will block the traffic (since it can't inspect it). This could impact business productivity if the sites are legitimate and necessary.
🔹 Best Practice in this case:
Add these problematic websites to the SSL Decryption Exclusion list.
This tells the firewall not to decrypt traffic to these domains/IPs, allowing users to access them while maintaining decryption for all other sites.
🔐 Note: While this reduces visibility for these specific sites, it is often necessary for compatibility and business continuity.
❌ Why the other options are incorrect:
A. Install the unsupported cipher into the firewall:
You can’t install ciphers into Palo Alto firewalls. Cipher support is part of the system software.
B. Allow the firewall to block the sites to improve the security posture:
This might increase security, but it can disrupt business if those sites are required (e.g., critical business apps).
D. Create a Security policy to allow access to those sites:
A Security policy alone won’t help if decryption is still enforced and fails due to cipher mismatch. The session will still be blocked at the SSL Proxy layer.
🔍 Reference:
Palo Alto Networks – Decryption Exclusion
TechDocs – Configure SSL Decryption Exclusions
| Page 1 out of 41 Pages |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved