PBF can address which two scenarios? (Choose two.)
A. Routing FTP to a backup ISP link to save bandwidth on the primary ISP link
B. Providing application connectivity the primary circuit fails
C. Enabling the firewall to bypass Layer 7 inspection
D. Forwarding all traffic by using source port 78249 to a specific egress interface
Explanation:
Policy-Based Forwarding (PBF) allows you to override the routing table and force traffic to take a specific path based on:
Source/Destination IP/Port
Application/Protocol (e.g., FTP)
ToS (Type of Service) field
Why These Answers Are Correct:
A: PBF can route specific traffic (e.g., FTP) to a backup ISP to conserve bandwidth on the primary link.
B: If the primary ISP fails, PBF can redirect traffic to a secondary circuit for failover.
Why the Others Are Incorrect:
C: PBF does not bypass Layer 7 inspection (App-ID/Content-ID still apply).
D: PBF can forward traffic based on source port, but this is not a typical use case (usually based on application, destination, or failover needs).
Reference:
Palo Alto PBF Documentation
Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)
A. Application filter
B. Application override policy rule
C. Security policy rule
D. Custom app
Explanation:
Application Override allows administrators to force the firewall to treat traffic as a specific application, bypassing App-ID if necessary. This is useful when:
The firewall misidentifies an application.
An application uses non-standard ports.
Why These Answers Are Correct:
B. Application Override Policy Rule
Defines which traffic should be reclassified as a different application.
Requires:
Original application (e.g., ssl)
Override application (e.g., facebook-base)
Source/destination criteria.
C. Security Policy Rule
Must allow the traffic (either the original or overridden application).
Without a security rule permitting the traffic, it will still be blocked.
Why the Others Are Incorrect:
A. Application Filter → Used for monitoring/reporting, not overriding.
D. Custom App → Not required unless you’re creating a new application (not overriding an existing one).
Reference:
Palo Alto Application Override Docs
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a
planned Decryption roll out. The administrator has also installed the self-signed root
certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received
unsecured website warnings.
What is the cause of the unsecured website warnings?
A. The forward untrust certificate has not been signed by the self-singed root CA certificate.
B. The forward trust certificate has not been installed in client systems.
C. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
D. The forward trust certificate has not been signed by the self-singed root CA certificate.
Explanation:
In a Palo Alto Networks SSL Forward Proxy decryption setup, there are three important certificate components involved:
1. Self-signed Root CA Certificate – Used to sign all forward trust and forward untrust certificates.
2. Forward Trust Certificate – Used by the firewall to sign certificates for trusted sites that it intercepts and decrypts.
3. Forward Untrust Certificate – Used by the firewall to sign certificates for untrusted sites.
To avoid browser warnings during decryption:
Clients must trust the root CA certificate.
The forward trust and forward untrust certificates must be signed by the root CA certificate.
In the scenario:
The administrator installed the self-signed root CA in all clients — ✔️ correct step.
But users are still receiving warnings when visiting SSL sites — 🚫 problem.
The most likely cause is that the firewall is using a forward trust certificate that is not signed by the root CA, so browsers don’t recognize the certificate chain and display "unsecured website" warnings.
❌ Why the other options are incorrect:
A. The forward untrust certificate doesn’t need to be trusted by clients because it’s meant to signal untrusted sites. This wouldn’t cause warnings for all sites.
B. Clients don’t need the forward trust certificate installed — they just need to trust the root CA that signed it.
C. Having the same CN on multiple certificates isn’t recommended but won’t directly cause SSL warnings unless there's a trust chain issue.
🔍 Reference:
Palo Alto Networks Documentation:
Configure SSL Forward Proxy
Generate a Certificate
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)
A. Voice
B. Fingerprint
C. SMS
D. User certificate
E. One-time password
Explanation:
Palo Alto firewalls support multi-factor authentication (MFA) for secure admin and user access. The three supported MFA methods are:
C. SMS – The firewall can integrate with SMS-based authentication services (e.g., Duo, Okta) to send verification codes.
D. User certificate – Digital certificates (e.g., X.509) can be used as a second factor alongside passwords.
E. One-time password (OTP) – Time-based OTPs (TOTP) from apps like Google Authenticator or RSA SecurID are supported.
Why the Others Are Incorrect:
A. Voice – Not a supported MFA method on Palo Alto firewalls.
B. Fingerprint – Biometric authentication is not natively supported for firewall access.
Reference:
Palo Alto MFA Documentation
An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
A. Perform a commit force from the CLI of the firewall.
B. Perform a template commit push from Panorama using the "Force Template Values" option.
C. Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.
D. Reload the running configuration and perform a Firewall local commit.
Explanation:
When local overrides exist on a firewall, but you want all configurations to be managed strictly from Panorama, the best solution is to:
Use Panorama’s "Force Template Values" option – This overwrites any local interface (or template-pushed) configurations on the firewall, ensuring Panorama’s settings take precedence.
Prevents future local overrides – Ensures the firewall adheres only to Panorama-managed configurations.
Why the Other Options Are Incorrect:
A. commit force (CLI) – Only forces a commit if there are validation warnings but does not remove local overrides.
C. "Include Device and Network Templates" – Pushes configurations but does not enforce Panorama’s settings over local changes.
D. Reloading running config – This does not address the root issue (local overrides persist).
Reference:
Panorama Force Template Values Documentation
A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?
A. TCP Fast Open in the Strip TCP options
B. Ethernet SGT Protection
C. Stream ID in the IP Option Drop options
D. Record Route in IP Option Drop options
Explanation:
Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce
access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto
Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet
SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet
frames and apply the appropriate actions based on the configured policies.
The use of
Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and
Cisco systems.
A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)
A. SSL/TLS Service
B. HTTP Server
C. Decryption
D. Interface Management
Explanation:
To properly implement URL Filtering with override actions, the firewall must inspect encrypted (HTTPS) traffic. This requires:
A. SSL/TLS Service Profile
Defines which SSL/TLS versions and cipher suites are allowed.
Ensures the firewall can properly decrypt and inspect traffic.
C. Decryption Profile
Specifies decryption rules (e.g., forward trust, forward untrust).
Required for SSL decryption, which is necessary for URL Filtering to analyze HTTPS traffic.
Why the Others Are Incorrect:
B. HTTP Server Profile → Used for firewall management access (GUI/API), not URL Filtering.
D. Interface Management Profile → Controls management access to interfaces, unrelated to decryption.
Reference:
Palo Alto URL Filtering with Decryption
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?
A. Install the unsupported cipher into the firewall to allow the sites to be decrypted
B. Allow the firewall to block the sites to improve the security posture.
C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
D. Create a Security policy to allow access to those sites.
Explanation:
When planning SSL decryption, there are cases where certain websites cannot be decrypted due to technical limitations, such as:
Use of unsupported ciphers
Use of client certificate authentication
Certificate pinning
Forward secrecy algorithms that the firewall doesn't support
If the firewall tries to decrypt these sessions and fails, it will block the traffic (since it can't inspect it). This could impact business productivity if the sites are legitimate and necessary.
🔹 Best Practice in this case:
Add these problematic websites to the SSL Decryption Exclusion list.
This tells the firewall not to decrypt traffic to these domains/IPs, allowing users to access them while maintaining decryption for all other sites.
🔐 Note: While this reduces visibility for these specific sites, it is often necessary for compatibility and business continuity.
❌ Why the other options are incorrect:
A. Install the unsupported cipher into the firewall:
You can’t install ciphers into Palo Alto firewalls. Cipher support is part of the system software.
B. Allow the firewall to block the sites to improve the security posture:
This might increase security, but it can disrupt business if those sites are required (e.g., critical business apps).
D. Create a Security policy to allow access to those sites:
A Security policy alone won’t help if decryption is still enforced and fails due to cipher mismatch. The session will still be blocked at the SSL Proxy layer.
🔍 Reference:
Palo Alto Networks – Decryption Exclusion
TechDocs – Configure SSL Decryption Exclusions
| Page 1 out of 41 Pages |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved