An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.
What is the effect of configuring this split DNS policy?
An administrator is configuring firewalls via a Panorama template to forward logs to a newly provisioned Strata Logging Service instance. The operational requirement is to maintain existing logging to on-premises Panorama log collectors for immediate, low-latency queries while also forwarding logs to Strata Logging Service for long-term archival. The administrator has already configured and enabled cloud logging connectivity.
Which additional step is necessary to meet the operational requirement?
An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML.
Which two actions meet the criteria? (Choose two.)
A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required.
What are two fundamental properties of the external zones needed for this configuration? (Choose two.)
An engineer at a managed services provider is updating an application that allows its customers to request firewall changes to also manage SD-WAN. The application will be able to make any approved changes directly to devices via API.
What is a requirement for the application to create SD-WAN interfaces?
Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)
When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?
An engineer is troubleshooting a failed inter-VSYS communication path between a DMZ-VSYS and an Internal-VSYS. The configuration includes separate virtual routers with next-vr static routes and appropriate Security policies within each VSYS allowing traffic to and from their external zones.
Given that all routing and policy configurations within each individual VSYS are correct, what is the probable cause of the failure?
What is a valid configurable limit for setting resource quotas when defining a new VSYS on a Palo Alto Networks firewall?
An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.
Which approach meets these requirements?
An organization uses Cloud Identity Engine (CIE) to gather user information from its on-premises Active Directory (AD) for employees and a separate Azure AD for external partners. Due to compliance regulations, the firewalls protecting the internal network must not have any identity information about external partners. Conversely, firewalls in the partner-facing DMZ should only be aware of partner identities.
Which CIE feature is designed to solve this data partitioning requirement?
An engineer is configuring a site-to-site IPSec VPN to a partner network. The IKE Gateway and IPSec tunnel configurations are complete, and the tunnel interface has been assigned to a security zone. However, the tunnel fails to establish, and no application traffic passes through it once it is up.
Which two Security policy configurations are required to allow tunnel establishment and data traffic flow in this scenario? (Choose two.)
Which CLI command is used to configure the management interface as a DHCP client?
A network security engineer needs to permit traffic between two distinct VSYS that reside on one Palo Alto Networks firewall. This traffic will not egress the firewall to an external device.
Which zone type must be configured to act as the logical source and destination for this traffic flow?
Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE) interface on a Palo Alto Networks high availability (HA) active/passive pair?
An administrator is configuring a GlobalProtect pre-logon VPN. The administrator has already imported the necessary internal certificate authority (CA) certificates for issuing machine certificates onto the firewall.
Which configuration is required on the GlobalProtect Gateway to enable pre-logon using these machine certificates?
An organization must secure its AWS and Azure environments using a managed Palo Alto Networks solution, and all policies must be synchronized from an existing Panorama deployment. The organization wants to insert security with the least possible impact on its application teams and use existing hub-and-spoke network designs.
• The AWS environment uses a centralized AWS Transit Gateway (TGW) architecture.
• The Azure environment uses a Virtual WAN (vWAN) hub.
Which two actions are the most appropriate in this use case? (Choose two.)
A company is enabling SSL Forward Proxy to inspect encrypted traffic. A security engineer generates a new certificate on the firewall and flags it with the "Forward Trust" certificate property.
What is the critical next step that must be performed for decryption to function correctly without causing security warnings for end users?
A network security engineer is designing a resilient architecture for inspecting traffic in Google Cloud Platform (GCP). The design must ensure that firewall service is maintained even if a single GCP zone becomes unavailable.
Which architecture should be used for the VM-Series firewalls in this use case?
An automation engineer is developing a Python script to standardize SD-WAN deployments across multiple customer tenants in Panorama. A key requirement is to programmatically create path quality profiles to monitor link performance based on latency, jitter, and packet loss.
Which API call is required for this task?
An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.
Which two configurations are required to implement this authentication fallback strategy? (Choose two.)
When deploying a pair of Palo Alto Networks firewalls in an active/active high availability (HA) cluster what is the dedicated role of the HA3 link?
An administrator must perform several actions on a fleet of firewalls from a central Panorama instance. To maintain efficiency, the administrator wants to only perform actions that do not require switching context into each firewall's individual web interface.
Which set of actions is available to the administrator directly from the Panorama UI?
A Managed Security Service Provider (MSSP) is creating a new VSYS for a customer.
To prevent this customer’s traffic from overwhelming the firewall’s state table, which resource limit should the MSSP configure for the new VSYS?
A large organization has separate production and development environments, each with its own set of firewalls managed by Panorama. The organization uses Cloud Identity Engine (CIE) to consolidate user identities from Active Directory (AD) and Okta.
A security mandate requires that development firewalls must only learn about "DEV" and "QA" user groups, while production firewalls should only see "Prod" user groups.
How can an administrator enforce this separation using CIE with minimal complexity?
What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?
An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.
What is the most likely cause of these widespread certificate errors?
Which interface types should be used to configure link monitoring for a high availability (HA) deployment on a Palo Alto Networks NGFW?
An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chosen Ansible as its primary tool for this initiative.
How does Ansible enable an IaC model for managing this organization's firewalls?
A network administrator is configuring an Aggregate Ethernet (AE) interface on an active/passive high availability (HA) pair. To reduce network downtime during a failover, the administrator wants the passive firewall's AE interface to be fully negotiated with the switch before it becomes active.
Which Link Aggregation Control Protocol (LACP) setting achieves this administrator's goal?
During an upgrade to the routing infrastructure in a customer environment, the network administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall.
Which firewall models support this configuration?
According to dynamic updates best practices, what is the recommended threshold value for content updates in a mission- critical network?
Which two Palo Alto Networks firewall services are secured by attaching an SSL/TLS service profile to their configuration? (Choose two.)