PCNSE Practice Exam Questions with Answers Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Certification

When administrative functions (licensing, updates) use a data plane interface, the firewall requires outbound connectivity to Palo Alto Networks servers (e.g., updates.paloaltonetworks.com) via that interface. If HTTPS/SSH work but licensing/updates fail, the issue is likely upstream blocking or misrouting. Validating upstream devices (Option B) ensures ports (e.g., 443) and destinations are accessible, resolving the issue.

Option A (service route) is a prerequisite already implied but doesn’t fix external issues. Option C (loopback) is unnecessary. Option D (OCSP) relates to certificates, not connectivity. Documentation emphasizes external validation.

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD

When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the "Preview Changes" feature.

A. Click Preview Changes under Push Scope:

The "Preview Changes" option is available under the "Push Scope" in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.

This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.

This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.

When administrative functions (e.g., licensing, updates) are moved to a data plane interface, the firewall uses that interface for outbound communication to Palo Alto Networks servers (e.g., licensing and update servers). If HTTPS/SSH work but licensing/updates fail, the issue is likely upstream connectivity. Option B ensures that upstream devices (routers, firewalls) allow and route traffic to required destinations (e.g., updates.paloaltonetworks.com) over ports like 443.

Option A (service route) assumes the interface is already set but doesn’t address external routing. Option C (loopback) is unnecessary and complex. Option D (OCSP) relates to certificate validation, not licensing/updates. Documentation emphasizes validating external connectivity.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format

Step-by-Step

Understanding Log Forwarding in PAN-OS:

Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.

Traffic logs can be customized to include additional information that meets the audit or operational requirements.

Syslog Server Profiles:

Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.

These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).

Custom Log Format:

Navigate to Device > Server Profiles > Syslog.

Within the Syslog Server Profile, define a Custom Log Format for traffic logs.

Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.

Field Specification:

In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.

Example:

$receive_time,$src,$dst,$app,$action,$rule

The engineer can include specific details as requested by the audit team.

Comparison of Other Options:

Option B: Built-in Actions within Objects > Log Forwarding Profile

Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.

Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.

Option C: Logging and Reporting Settings within Device > Setup > Management

These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.

Option D: Data Patterns within Objects > Custom Objects

Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.

Why A is Correct?

The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.

This flexibility allows the firewall engineer to meet specific compliance or audit requirements.

Documentation Reference:

PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations?.

PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/ipsec-transport-mode

The linked documentation outlines new features for IPSec transport mode in PAN-OS 11.0 and clarifies the requirements for configuring IPSec in transport mode. Based on this:

Auto-Generated Key:

The documentation specifies that IPSec in transport mode requires an auto-generated key during the IKE negotiation process. This ensures the integrity and encryption of the communication channel.

Verdict: Correct.

NAT Traversal:

NAT Traversal is only relevant when NAT is present between the IPSec peers. It is not an inherent requirement for IPSec transport mode.

Verdict: Not correct.

IKEv1:

While IKE (v1 or v2) is required for IPSec, the question specifically asks for transport mode requirements, and IKEv1 is not listed as a strict transport mode requirement in the documentation.

Verdict: Not correct.

DH-group 20 (ECP-384 bits):

The documentation mentions that DH-group 20 (Elliptic Curve Protocol, 384-bit) is one of the required Diffie-Hellman groups for transport mode. This ensures secure key exchange.

Verdict: Correct.

Correct Answer

Based on the documentation: A. Auto Generated Key

D. DH-group 20 (ECP-384 bits)

Why This Answer is Correct

Auto-generated key is fundamental to secure communication in transport mode, as stated in the PAN-OS 11.0 documentation.

DH-group 20 ensures a high level of cryptographic strength for key exchange, making it a specific requirement for transport mode in this context.

Reference

For more details, refer to the PAN-OS 11.0 IPSec Transport Mode documentation: IPSec Transport Mode

To determine which sources an engineer can use to gather information about application patterns for creating custom signatures, let’s analyze each option based on PAN-OS 11.0 documentation and typical network troubleshooting practices.

A. Traffic Logs

Why It’s Correct:

Traffic logs in PAN-OS provide details about all traffic flowing through the firewall, including:

Application details.

Source and destination IPs.

Ports used.

This data is essential for identifying patterns, such as specific ports, protocols, or behaviors associated with an application.

How to Use:

Navigate to Monitor > Logs > Traffic in the web interface.

Look for the relevant application traffic and note recurring patterns.

Documentation Reference:

PAN-OS 11.0 Admin Guide, Logging and Reporting Section: Discusses traffic logs as a resource for application and behavior analysis.

B. Data Filtering Logs

Why It’s Incorrect:

Data filtering logs focus on inspecting files, data patterns, or sensitive information such as credit card numbers. These logs are not designed for gathering application-specific traffic patterns.

Documentation Reference:

PAN-OS 11.0 Admin Guide: Details how data filtering logs are used for content inspection, not for creating application signatures.

C. Policy Optimizer

Why It’s Incorrect:

Policy Optimizer helps refine security policies by identifying unused or overly permissive rules. It does not provide information about traffic patterns for applications.

Documentation Reference:

PAN-OS 11.0 Admin Guide, Policy Optimization Section: Focuses on rule management rather than traffic pattern analysis.

D. Wireshark

Why It’s Correct:

Wireshark is a powerful network protocol analyzer that captures and analyzes traffic at a granular level. Engineers can:

Identify application-specific headers or payloads.

Examine protocol behaviors.

Spot unique signatures in application traffic.

How to Use:

Capture traffic flowing to/from the application using a span or mirrored port on the switch or firewall.

Analyze the captured packets for recurring patterns (e.g., specific headers or payload data).

Documentation Reference:

While not directly mentioned in PAN-OS documentation, Wireshark is commonly recommended as a tool for packet analysis in custom application signature creation.

Summary of Correct Choices

Traffic Logs:

Provides a high-level view of application behavior and network patterns.

Wireshark:

Allows deep packet inspection and analysis for identifying unique application behaviors.

PAN-OS 11.0 Study Guide References

PCNSA Study Guide:

Domain 3: Policy Evaluation and Management:

Discusses using traffic logs to refine policies and understand application behavior.

PCNSE Study Guide:

Domain 4: Securing Traffic:

Emphasizes tools like Wireshark for advanced traffic and application analysis.

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications. The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12. References: New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone

The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.

Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls

The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key. Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123. References: Key Exchange Algorithms, Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330

To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule. Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12. References: App-ID Overview, Create a Security Policy Rule

When managing firewalls with Panorama, configurations can be pushed from Panorama templates to managed firewalls. However, there are scenarios where specific settings need to be overridden on the local firewall level due to unique requirements or exceptions.

B. The modification will not be visible in Panorama:

When an override is made directly on the firewall, this change is not automatically reflected back in Panorama's templates or device groups. The local configuration on the firewall will take precedence over the Panorama pushed configuration for the overridden settings, but these local changes will not be visible in the Panorama interface. This means that while Panorama maintains central control and visibility over the bulk of the configuration, it does not have visibility into local overrides made directly on the firewalls.

This distinction is crucial for auditors and administrators to understand, as it impacts how configurations are managed and synchronized between Panorama and the individual firewalls. Local overrides provide flexibility but require careful management to ensure consistency and compliance with security policies.

https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 "- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration" "You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value"

The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides is B: Perform a template commit push from Panorama using the “Force Template Values” option. This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.

https://docs .paloaltonetworks.com/panorama/8-1/panorama-admin/panorama-overview/centralized-logging-and-reporting

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.

In PAN-OS, the Log Forwarding object under Objects configures forwarding for Authentication (Option B) and User-ID (Option C) logs, among others, to external systems (e.g., syslog servers).

Option A (GlobalProtect) and Option D (WildFire) logs are managed differently (e.g., via profiles or Panorama). Documentation lists supported log types in Log Forwarding.

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices

To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc. QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.

To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight. A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.

The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP. If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.

The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion. The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling. The firewall can recognize SIP traffic without an Application Override policy5.

QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic. Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.

A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management. The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.

 QoS Overview, Configure QoS, QoS Use Cases, QoS Best Practices, Application Override, QoS FAQ, Create a QoS Policy Rule

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/ha-timers

To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.

Option A (Threat Prevention) lacks DNS-specific features for this use case. Option B (Vulnerability Protection) doesn’t include DNS misconfiguration settings. Documentation confirms Anti-Spyware with DNS Security for this purpose.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions. The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions. The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf page 83

'Implicitly Uses' has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the web-browsing application implicitly.. In our case, we dont know which APP the question referes too but 'Implicitly means already uses HTTP.

WildFire logs showing a "malicious" verdict with an "allow" action indicate that the initial traffic wasn’t blocked in real-time, likely because the Antivirus profile isn’t configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to "block" on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire’s real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn’t control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy

Set the Action to take when matching a packet:

Forward—Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)—Select the virtual system to which to forward the packet.

Discard—Drops the packet.

No PBF—Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c

When a firewall’s local configuration overrides a Panorama template, Panorama detects this discrepancy and marks the template as out of sync (Option A) in the UI (e.g., under Templates > Device status). This alerts administrators to resolve the conflict.

Option B (only Panorama reverts) is false; local commits can revert. Option C (not visible) is incorrect; sync status is visible. Option D (update template) doesn’t occur automatically. Documentation explains this sync behavior.

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-the-rule-hierarchy#idfb9e2593-a7f1-4e0d-aab5-a2903d654c99 https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies#id671977ca-1041-4605-8a80-fbc10f3f5d7b

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama. Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12. References: Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)

To override a device and network setting applied by a template, you can either configure the setting locally on the firewall or override the setting on the template stack. Configuring the setting locally on the firewall will copy the setting to the local configuration of the device and will no longer be controlled by the template. Overriding the setting on the template stack will apply the setting to all the firewalls that are assigned to the template stack, unless the setting is also overridden locally on a firewall. Changing the setting on the global template will affect all the firewalls that inherit the setting from the template, which is not desirable in this scenario. Configuring a service route for DNS on a different interface will not change the DNS server address, but only the interface that the firewall uses to reach the DNS server. References:

Override a Template Setting

How to override panorama pushed template configuration on the local firewall

Overriding Panorama Template settings

Based on PAN-OS 11.0 documentation, the forwarding configuration for specific log types in Device > Log Settings involves selecting log types for system-level logs, which include HIP Match and Configuration logs.

Explanation for Each Option

A. Threat

Threat logs record detected security threats such as malware, viruses, and vulnerabilities.

Forwarding of Threat logs is not configured in Device > Log Settings. Instead, Threat logs are forwarded using Log Forwarding Profiles applied to Security Policies.

Verdict: Incorrect.

B. HIP Match

HIP Match logs capture information about endpoint compliance reported by GlobalProtect clients.

These logs can be configured for forwarding in Device > Log Settings for monitoring and compliance purposes.

Verdict: Correct.

C. Traffic

Traffic logs provide details about allowed or denied network traffic.

Forwarding of Traffic logs is configured using Log Forwarding Profiles applied to Security Policies, not in Device > Log Settings.

Verdict: Incorrect.

D. Configuration

Configuration logs track administrative changes to the firewall, such as updates to policies, settings, and objects.

These logs can be forwarded from Device > Log Settings for auditing purposes.

Verdict: Correct.

Correct Answer

B. HIP Match

D. Configuration

Key Points from PAN-OS 11.0 Documentation

Device > Log Settings is specifically for system-related logs like HIP Match and Configuration.

Logs like Threat and Traffic are handled through Log Forwarding Profiles applied to Security or NAT policies.

Documentation Reference

For further details, refer to the official Palo Alto Networks PAN-OS 11.0 Admin Guide under Device > Log Settings. This section outlines which log types can be forwarded from this menu.