Paloalto Networks NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer Exam Practice Test

Basic Concept: Explicit proxy forces browsers to connect to the firewall as the proxy, and Kerberos provides transparent SSO against Active Directory. This meets environments where users must not connect directly to websites.

Why D is Correct: Explicit proxy with Kerberos is correct because the firewall establishes the server-side connection while authenticating users with AD credentials in a seamless way.

Why A is Wrong: Deploy the transparent proxy with Web Cache Communications Protocol (WCCP). is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: Deploy the Next-Generation Firewalls as normal and install the User-ID agent. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Deploy the Advanced URL Filtering license and captive portal. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: A Forward Trust certificate used for SSL Forward Proxy must be trusted by endpoints. Otherwise users see certificate trust warnings for decrypted sites.

Why D is Correct: Installing the public CA certificate into client trust stores is the required next step because the firewall signs substitute server certificates during forward proxy decryption.

Why A is Wrong: Set the forward trust certificate as the SSL/TLS Service profile for the management interface. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: Create a Security policy rule that allows traffic from the certificate of the firewall to all the zones. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: Import the private key of the forward trust certificate onto the domain controller. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: Virtual wire binds two physical interfaces into an inline transparent pair. The two interfaces must have compatible Layer 1 characteristics.

Why C is Correct: Same link speed and transmission mode are required so the virtual wire can bridge traffic correctly between the paired interfaces.

Why A is Wrong: They must be configured with auto-negotiate settings regardless of the port type. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: They must all be either copper or fiber optic, however they can be different. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: They must be the same media type. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: The CLI command to configure management as a DHCP client is made under deviceconfig system rather than under data-plane interface configuration.

Why C is Correct: set deviceconfig system type dhcp-client is the correct command syntax for enabling DHCP on the management interface.

Why A is Wrong: set deviceconfig system interface mgt mode dhcp is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: set network interface management dhcp enable is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: configure system management-interface ip dynamic is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Site-to-site VPN policy must allow both negotiation to the firewall endpoint and user/application traffic through the tunnel security zone.

Why A and C are Correct: One rule permits IKE/IPSec to the firewall/local endpoint, and tunnel-zone policies permit application traffic between local and remote zones.

Why B is Wrong: A single bidirectional security rule must be configured to manage traffic flowing through the tunnel interface. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: An Application Override policy is needed to allow both the IKE negotiation and the encapsulated data traffic. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Authentication sequences provide ordered fallback across authentication profiles. A new server profile must exist before an authentication profile can reference it.

Why C and D are Correct: Creating the Kerberos authentication profile and placing it first in an authentication sequence before LDAP implements the requested fallback.

Why A is Wrong: Configure a new RADIUS proxy on the firewall to handle authentication requests for both Kerberos and LDAP. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: Implement a User-ID Group Mapping policy to link users between the LDAP and Kerberos directories. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: When destination prefix length is the same, route selection compares administrative distance to choose the preferred source protocol before metric.

Why A is Correct: Administrative distance is evaluated first among equal destination prefixes learned from different route sources.

Why B is Wrong: Route metric is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Why C is Wrong: Next-hop availability is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Why D is Wrong: Longest prefix match is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Basic Concept: OCSP and CRL both check certificate revocation, but OCSP performs on-demand status checks instead of downloading full revocation lists.

Why B is Correct: OCSP is more scalable for large deployments because it returns real-time status for a certificate with lower memory and download overhead.

Why A is Wrong: OCSP allows the firewall to act as its own certificate authority (CA), and it simplifies certificate management. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: OCSP is an older, more widely supported protocol than CRLs. ensuring compatibility with all client devices. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: OCSP bundles all certificate statuses into a single, digitally signed file for faster downloads by the firewall. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: Group-based policy requires group mapping, and group mapping requires a directory connection. LDAP Server profiles establish that directory connection.

Why A is Correct: Creating an LDAP server profile first lets PAN-OS query Active Directory for group membership used in Security policy.

Why B is Wrong: User-ID agent service account is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Authentication sequence is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Kerberos server profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: PAN-OS supports post-quantum VPN options for IKEv2 through post-quantum pre-shared keys and post-quantum key encapsulation mechanisms configured in IKE/IKE Crypto settings.

Why A and D are Correct: The correct actions enable IKEv2 with PQ PPK and configure PQ KEM with crypto-profile rounds, which are the PAN-OS mechanisms for quantum-resistant VPN key establishment.

Why B is Wrong: Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: Select IKE v2 Preferred, enable the Advanced Options PQ KEM, then add one or more “Rounds.” relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Inter-VSYS traffic that remains within the firewall uses external zones as logical source/destination zones for Security policy.

Why A is Correct: External is the correct zone type because the traffic crosses VSYS boundaries without using a physical interface.

Why B is Wrong: TAP is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: Layer 3 is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: Layer 2 is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: Palo Alto Networks SD-WAN automation through Panorama uses API objects and parameters for SD-WAN interfaces and profiles. The application must call the correct Panorama API endpoint/object.

Why A is Correct: The REST API sdwanInterfaceprofiles parameter on Panorama is correct because SD-WAN interface creation for managed deployments is orchestrated centrally through Panorama.

Why B is Wrong: REST API’s “sdwanInterfaces” parameter on a firewall device is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Why C is Wrong: XML API’s “sdwanprofiles/interfaces” parameter on a Panorama device is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Why D is Wrong: XML API’s “InterfaceProfiles/sdwan” parameter on a firewall device is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Basic Concept: Policy-based third-party VPN gateways require matching traffic selectors. PAN-OS represents those selectors as Proxy IDs under the IPSec tunnel configuration.

Why A is Correct: Defining local and remote subnets in Proxy ID settings aligns PAN-OS with the Check Point encryption domain and resolves Phase 2 failures.

Why B is Wrong: Create individual Security policies for each pair of local and remote subnets. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: Assign a specific IP address to the tunnel interface to match the Check Point gateway. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: Enable Dead Peer Detection (DPD) in the IKE Gateway configuration. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Terraform is normally used for infrastructure provisioning, while Ansible is better suited for post-deployment configuration management.

Why B is Correct: Deploying the VM and network interfaces is the Terraform part of the workflow because it defines cloud or virtualization infrastructure resources.

Why A is Wrong: Pushing threat intelligence updates to the new firewall is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Why C is Wrong: Storing the credentials needed to access the vSphere environment is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Why D is Wrong: Applying the detailed Security policies and objects is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Basic Concept: In active/passive HA, LACP delays can occur if the passive peer did not negotiate before becoming active. PAN-OS can keep LACP active in passive state.

Why C is Correct: Enable in HA passive state allows pre-negotiation and minimizes LACP convergence delay during failover.

Why A is Wrong: Enable LACP fast failover. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why B is Wrong: Set LACP mode to passive. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why D is Wrong: Set HA link monitoring to aggressive. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Basic Concept: For active/passive HA upgrades, the safest method is to upgrade the passive firewall first, fail over to it, then upgrade the remaining peer. This preserves forwarding during most of the process.

Why C is Correct: The selected sequence keeps one firewall forwarding traffic at all times and avoids simultaneous reboots.

Why A is Wrong: From Panorama, create a scheduled software update job targeting both firewalls in the HA pair to run at the same time, then rely on the HA election process to manage the failover automatically. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why B is Wrong: Upgrade the passive firewall first while it is still in the passive state. Once it reboots and is operational, suspend the active firewall to fail over to the newly upgraded device. Then, upgrade the remaining firewall. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why D is Wrong: Disable HA synchronization on the active firewall, upgrade the passive firewall, and then re-enable synchronization. Once synchronized, repeat the process on the other firewall. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Basic Concept: DDNS client functionality requires an IP-addressed routed interface. Layer 2 interfaces do not own the routed IP context needed for DDNS updates.

Why A is Correct: DDNS client is available on Layer 3 interfaces because it publishes the interface's IP mapping to DNS.

Why B is Wrong: NetFlow export is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: QoS is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Link monitoring is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Service route configuration controls egress for firewall-generated management traffic. It can force cloud service or update traffic through a data-plane interface.

Why A is Correct: Service route is the setting that reroutes firewall-originated traffic away from the management port.

Why B is Wrong: Interface Management profile is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: Virtual router is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: Static route is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: Custom reports query selected log databases. Traffic, User-ID, Application Statistics, and HIP Match are valid data sources in PAN-OS reporting contexts.

Why B is Correct: The selected set contains valid databases for consolidated reporting from the choices provided.

Why A is Wrong: Threat, URL Filtering, WildFire Submissions, GlobalProtect is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Data Filtering, IP-Tag, User-ID, Endpoint Security is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: System, Config, Authentication, Session Flow is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Enterprise certificate authentication requires a consistent trust chain, revocation checking, and scalable certificate enrollment. Panorama templates/shared objects help maintain consistency across many firewalls.

Why B is Correct: The correct approach distributes trusted CAs consistently, uses OCSP for efficient revocation, keeps CRL fallback, separates user and device certificate profiles, and automates endpoint enrollment.

Why A is Wrong: Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CTurn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall’s local certificate store for authentication. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: Cloud logging and on-premises logging are separate forwarding paths. Duplicate logging preserves both paths for operational and long-term use.

Why A is Correct: Enabling duplicate logging in the Panorama template is necessary to send logs to both Strata Logging Service and Panorama log collectors.

Why B is Wrong: Enable log syncing and commit the template changes to both the on-premises and cloud collectors. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: In the collector group settings, add the Strata Logging Service as a secondary destination for the on-premises collector. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: Add the Panorama log collector and Strata Logging Service IP addresses to the cloud logging service routes to ensure dual-path cloud and on-premises reachability. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: Enabling Strata Logging Service alone can stop duplicate delivery to on-premises collectors. Duplicate logging is required when both destinations must receive logs.

Why B is Correct: The missed setting is duplicate logging under Device > Setup > Management, which keeps cloud and on-premises log forwarding active together.

Why A is Wrong: The device certificates for the Panorama log collectors were not renewed after enabling the cloud logging connection. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: The Log Forwarding profile was modified to send logs only to the Strata Logging Service and no longer includes the on-premises Panorama log collectors. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: The Panorama log collectors were not defined as primary destinations within the collector group configuration for the managed firewalls. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: Zone type is the PAN-OS category that matches interface mode. Valid selectable zone types include Layer 2 and Layer 3, among others.

Why A and B are Correct: Layer 3 and Layer 2 are valid zone types; Management and DMZ are not PAN-OS zone types, although DMZ is often used as a zone name.

Why C is Wrong: Management is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: DMZ is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Log Forwarding profiles can send firewall logs to internal or external destinations, including Panorama/Cloud logging, email, syslog, SNMP, or HTTP depending on configuration.

Why B is Correct: Panorama/Cloud logging, email, and syslog are valid methods from the listed choices and cover centralized and external alerting paths.

Why A is Wrong: Syslog, Panorama, SD-WAN is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: Email, Syslog, NetFlow is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: HTTP, RADIUS, SNMP is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: In SSL Forward Proxy, the Decryption profile controls certificate validation behavior for server certificates, including revocation checks.

Why C is Correct: The Decryption profile is where OCSP/CRL certificate revocation checking behavior is defined for decrypted outbound sessions.

Why A is Wrong: Certificate revocation checking is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: SSL/TLS service profile is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: Forward trust certificate is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: CN-Series enforces container network security inside Kubernetes. Its primary design point is east-west traffic inspection between pods and services.

Why D is Correct: Enforcing Security policies between Kubernetes pods is the primary CN-Series use case.

Why A is Wrong: Protecting mobile users and remote branch offices (east-west) is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: Providing security for physical data center perimeters (north-south) is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Securing traffic in and out of a public cloud VPC or VNet (north-south) is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Explicit proxy requires client browsers to point to the firewall's proxy address and port. Kerberos adds seamless Active Directory SSO for user authentication.

Why A is Correct: Web proxy in explicit mode with Kerberos authentication directly matches both manual proxy configuration and seamless AD authentication.

Why B is Wrong: Decryption policy that redirects users to a SAML identity provider for authentication is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Web proxy in transparent mode with an Authentication policy by using multi-factor authentication (MFA) is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: User-ID agent integration with Authentication Portal for authentication is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: The Advanced Routing Engine uses logical routers and is supported only on specific PAN-OS firewall families and software combinations. Model support is a platform/version dependency, not a configuration toggle.

Why A is Correct: The keyed set represents a supported exam-context platform group for ARE: PA-5200, PA-7000, PA-3200 and VM-Series firewalls. Current documentation also supports additional newer families, so this item is version-sensitive.

Why B is Wrong: This set includes supported newer families in current documentation, but it does not match the older exam-keyed platform set represented by the source answer. The item is version-sensitive.

Why C is Wrong: This option is a mixed set and includes PA-850, which is not part of the Advanced Routing Engine support list in current Palo Alto Networks documentation.

Why D is Wrong: This set contains families supported in current releases, but it does not match the keyed answer set in this source question. Treat the item as version-sensitive.

Basic Concept: A tunnel interface can operate without an IP address for basic route-based VPN forwarding, but an IP address is required when the firewall must source monitoring probes or participate in dynamic routing over the tunnel.

Why A and B are Correct: Dynamic routing protocols and tunnel monitoring require an address on the tunnel interface so the firewall has a Layer 3 identity for peering and liveliness probes.

Why C is Wrong: Use of peer IP relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: Redistribution of User-ID relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Packet-Based Attack Protection in a Zone Protection profile handles malformed packet attacks such as non-SYN TCP floods and ICMP fragments, while flood and reconnaissance sections handle rate and scan behavior.

Why D is Correct: Packet-Based Attack Protection is correct because the examples are packet-structure/evasion issues, not application protocol decoding or discovery scans.

Why A is Wrong: Protocol Protection is a Zone Protection category, but it protects a different attack family than the packet-level or flood/reconnaissance behavior described.

Why B is Wrong: Flood Protection is a Zone Protection category, but it protects a different attack family than the packet-level or flood/reconnaissance behavior described.

Why C is Wrong: Reconnaissance Protection is a Zone Protection category, but it protects a different attack family than the packet-level or flood/reconnaissance behavior described.

Basic Concept: SSL/TLS service profiles bind a certificate and protocol settings to firewall services that present HTTPS/TLS endpoints. GlobalProtect portal and gateway are classic examples.

Why C and D are Correct: GlobalProtect Gateways and GlobalProtect Portals use SSL/TLS service profiles to define the server certificate and TLS parameters presented to connecting endpoints.

Why A is Wrong: NAT tables is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: User Authentication is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: Panorama Log Collector Groups have model and storage design restrictions. Collectors in a single group must be compatible so log distribution and redundancy work predictably.

Why C is Correct: All Log Collectors in one Collector Group must run on the same Panorama model, which prevents mixed-capacity or unsupported collector group designs.

Why A is Wrong: Log redundancy is available only if each Log Collector has the same amount of total disk storage. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why B is Wrong: Enabling redundancy increases the log processing traffic in a Collector Group by 50%. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: When routes to the same destination are learned from different routing protocols, PAN-OS compares administrative distance before metrics from the same protocol.

Why D is Correct: The lowest administrative distance wins because it represents the most preferred route source; higher values are less trusted.

Why A is Wrong: The route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected. is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Why B is Wrong: It will attempt to load balance the traffic across all routes. is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Why C is Wrong: It compares the administrative distance and chooses the one with the highest value. is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Basic Concept: Admin Role Profiles implement role-based administrative access on PAN-OS. They define exactly which management operations an administrator may perform.

Why C is Correct: Granular task permissions are correct because Admin Role Profiles limit administrator capabilities rather than enabling MFA or unrestricted access.

Why A is Wrong: Allow access to all resources without restrictions. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: Enable multi-factor authentication (MFA) for administrator access. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Restrict access to sensitive report data. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Split tunnel access routes do not automatically control DNS resolution. Split DNS must specify which domains use VPN-assigned DNS servers.

Why A is Correct: Configuring split DNS with internal corporate domains sends those queries to corporate DNS while leaving public browsing DNS local.

Why B is Wrong: DNS Proxy feature on the firewall to point clients to the gateway IP for DNS relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: "DNS Forwarding" option on the gateway's tunnel interface relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: NAT rule to allow DNS traffic from the GlobalProtect clients to the internal DNS servers relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: SSL/TLS service profiles secure firewall-hosted TLS services by binding certificates and protocol settings.

Why A and B are Correct: Authentication Portal and GlobalProtect Portal are services that present TLS certificates and use SSL/TLS service profiles.

Why C is Wrong: LDAP server profiles is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: Prisma Access service connections is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.