Why would a traffic log list an application as "not-applicableβ?
A. The firewall denied the traffic before the application match could be performed.
B. The TCP connection terminated without identifying any application data
C. There was not enough application data after the TCP connection was established
D. The application is not a known Palo Alto Networks App-ID.
Explanation:
When a traffic log shows the application field as "not-applicable", it typically means the firewall never had the chance to inspect enough data to identify the application. This most often occurs when:
The firewall drops or denies the traffic very early β before the App-ID engine can analyze the session.
Common with implicit deny rules, or explicitly configured "deny" rules in the Security policy.
π Additional Clarification of Other Options:
B. The TCP connection terminated without identifying any application data:
This might result in the application showing as "incomplete", not "not-applicable".
C. There was not enough application data after the TCP connection was established:
This results in "incomplete" or "insufficient-data", not "not-applicable".
D. The application is not a known Palo Alto Networks App-ID:
If App-ID can't identify a custom or unknown app, it might show as "unknown-tcp", "unknown-udp", or a custom App-ID, not "not-applicable".
π Reference:
Palo Alto Networks β Traffic Log Fields
Palo Alto Knowledge Base β Why Application is 'not-applicable'
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?
A. Browser-supported cipher documentation
B. Cipher documentation supported by the endpoint operating system
C. URL risk-based category distinctions
D. Legal compliance regulations and acceptable usage policies
Explanation:
The engineer should review the legal compliance regulations and acceptable
usage policies with their leadership before implementing SSL Forward Proxy decryption for
their organization. SSL Forward Proxy decryption allows the firewall to decrypt and inspect
the traffic from internal users to external servers. This can raise privacy and legal concerns
for the users and the organization.
Therefore, the engineer should ensure that the
leadership is aware of the implications and benefits of SSL Forward Proxy decryption and
that they have a clear policy for informing and obtaining consent from the users.
Option A is
incorrect because browser-supported cipher documentation is not relevant for SSL Forward
Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the
external server, regardless of the browser settings.
Option B is incorrect because cipher
documentation supported by the endpoint operating system is not relevant for SSL Forward
Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the
external server, regardless of the endpoint operating system.
Option C is incorrect because
URL risk-based category distinctions are not relevant for SSL Forward Proxy decryption.
The firewall can decrypt and inspect traffic based on any URL category, not just risk-based
ones.
Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)
A. ECDSA
B. ECDHE
C. RSA
D. DHE
Explanation:
The two key exchange algorithms that consume the most resources when decrypting SSL
traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable
perfect forward secrecy (PFS), which means that they generate a new and unique session
key for each SSL/TLS session, and do not reuse any previous keys. This enhances the
security of the encrypted communication, but also increases the computational cost and
complexity of the key exchange process.
ECDHE stands for Elliptic Curve Diffie-Hellman
Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE
stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the
session key. Both ECDHE and DHE require more CPU and memory resources than RSA,
which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the
session key.
References:
Key Exchange Algorithms, Best Practices for Enabling SSL
Decryption, PCNSE Study Guide (page 60)
An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?
A. The firewall template will show that it is out of sync within Panorama.
B. The modification will not be visible in Panorama.
C. Only Panorama can revert the override.
D. Panorama will update the template with the overridden value.
Detailed Explanation:
When a local override is applied on a firewall (modifying a Panorama-pushed configuration):
B. The modification will not be visible in Panorama.
Panorama does not automatically detect or display locally overridden values on the firewall.
The firewall retains its local changes, but Panorama still shows its original template configuration.
Why the Other Options Are Incorrect:
A. Panorama does not automatically flag templates as "out of sync" due to local overrides (manual review is required).
C. Both Panorama and the firewall CLI can revert overrides (Panorama is not the only method).
D. Panorama does not auto-update templates with locally overridden values (changes must be manually pushed from Panorama).
Best Practice:
Use "Force Template Values" in Panorama to eliminate local overrides and enforce centralized management.
Reference:
Panorama Local Overrides Documentation
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
A. A Deny policy for the tagged traffic
B. An Allow policy for the initial traffic
C. A Decryption policy to decrypt the traffic and see the tag
D. A Deny policy with the "tag" App-ID to block the tagged traffic
Explanation:
Dynamic User Groups (DUGs) in Palo Alto Networks firewalls are used to dynamically assign users to groups based on tags pushed from external systems like Cortex XSOAR, XDR, or via the XML API. These allow for real-time enforcement of security policies without requiring user logout/login or group refreshes.
To block traffic in real time using DUGs, the following policy components are needed:
πΉ A. A Deny policy for the tagged traffic
This is the actual policy that references the Dynamic User Group and blocks traffic for users dynamically added to the group.
Once a user is tagged (e.g., as "malicious" or "violator"), this rule becomes effective immediately, blocking their access based on the DUG membership.
πΉ B. An Allow policy for the initial traffic
Before the user is tagged and added to the DUG, they still need to be allowed to generate traffic so they can be evaluated or monitored.
This initial allow policy ensures the traffic is visible and can be tagged (e.g., by a monitoring or detection system like Cortex XDR).
β Why the other options are incorrect:
C. A Decryption policy to decrypt the traffic and see the tag:
Tags and DUG membership are independent of traffic decryption. DUG enforcement is based on user identity and tag, not packet content.
D. A Deny policy with the "tag" App-ID to block the tagged traffic:
Tags are not App-IDs. A tag is an identifier for grouping users in DUGs, not an application signature. So there is no "tag" App-ID.
π Reference:
Palo Alto Networks β Dynamic User Groups:
Dynamic User Groups (DUGs) Overview
Best Practices for DUG Implementation:
Palo Alto Live Community β Using Dynamic User Groups to Quarantine Users
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)
A. HTTPS
B. SSH
C. Permitted IP Addresses
D. HTTP
E. User-IO
Explanation:
To securely allow remote management access on an untrust interface, the Interface Management Profile should include:
A. HTTPS β Enables secure web-based management (GUI/API access).
B. SSH β Allows secure CLI access for administrators.
C. Permitted IP Addresses β Restricts management access to specific trusted IPs (critical for security on an untrust interface).
Why the Others Are Incorrect:
D. HTTP β Unencrypted and insecure; should never be enabled on an untrust interface.
E. User-IO β Used for physical console access, irrelevant for remote management.
Best Practices:
Always disable HTTP and Ping on untrust interfaces.
Use certificate-based authentication for HTTPS/SSH if possible.
Reference:
Palo Alto Interface Management Profile Docs
Exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and
security management platforms The network team has reported excessive traffic on the
corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic
while maintaining support for all the existing monitoring/security platforms?
A. Any configuration on an M-500 would address the insufficient bandwidth concerns
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW
C. Configure log compression and optimization features on all remote firewalls
D. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services
Explanation:
In the image, we see multiple firewalls at a remote site sending logs directly to both Panorama and to various management and monitoring systems at the data center, which consumes significant WAN bandwidth.
To reduce WAN traffic while maintaining the existing log visibility:
π Centralize log forwarding:
Send logs only once across the WAN β from the firewalls to Panorama β and let Panorama handle the log forwarding to all other systems (SIEM, monitoring tools, etc.).
This drastically cuts down on duplicate log traffic over the WAN.
π Why the other options are incorrect:
A. Any configuration on an M-500 would address the insufficient bandwidth concerns:
β Incorrect. The M-500 is a Panorama appliance, and its configuration affects log storage/management but doesn't inherently reduce WAN bandwidth unless used properly in architecture like option D.
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW:
β Reversed logic. Logs go from NGFWs to Panorama, not the other way around.
C. Configure log compression and optimization features on all remote firewalls:
β PAN-OS does not support log compression across WAN links for remote log forwarding. So this option is not feasible.
π§ Best Practice:
Use Panorama in "Log Collector mode" or dedicated log collectors to centralize logs.
Use Panoramaβs Log Forwarding feature to relay logs to external monitoring and SIEM systems.
This keeps only one copy of each log traveling across the WAN, minimizing traffic and duplication.
π Reference:
Palo Alto Networks β Log Forwarding
Palo Alto Networks β Best Practices for Distributed Log Collection
Refer to the exhibit.
Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing
from 192.168.111.3 and to the destination 10.46.41.113?
A. ethernet1/6
B. ethernet1/3
C. ethernet1/7
D. ethernet1/5
Explanation:
In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of
any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5. The egress interface for the traffic with ingress interface ethernet1/7, source
192.168.111.3, and destination 10.46.41.113 will be ethernet1/5.
This is because the traffic
will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured
to allow VLAN-tagged traffic with tags 10 and 201. The traffic will also match the security
policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to
ethernet1/7 and ethernet1/5 respectively2. Therefore, the traffic will be forwarded to the
same interface from which it was received, which is ethernet1/53.
Page 2 out of 41 Pages |
Palo Alto PCNSE Practice Test Home |