NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer Question and Answers

Basic Concept: Certificate profiles define trust and revocation validation for certificate-based authentication. OCSP checking is enabled there for the CAs used by the profile.

Why D is Correct: Certificate profile is correct because it controls trusted CAs, username mapping, and OCSP/CRL revocation behavior for client certificate authentication.

Why A is Wrong: Authentication sequence is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: Decryption profile is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: SSL/TLS service profile is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: For active/passive HA upgrades, the safest method is to upgrade the passive firewall first, fail over to it, then upgrade the remaining peer. This preserves forwarding during most of the process.

Why C is Correct: The selected sequence keeps one firewall forwarding traffic at all times and avoids simultaneous reboots.

Why A is Wrong: From Panorama, create a scheduled software update job targeting both firewalls in the HA pair to run at the same time, then rely on the HA election process to manage the failover automatically. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why B is Wrong: Upgrade the passive firewall first while it is still in the passive state. Once it reboots and is operational, suspend the active firewall to fail over to the newly upgraded device. Then, upgrade the remaining firewall. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why D is Wrong: Disable HA synchronization on the active firewall, upgrade the passive firewall, and then re-enable synchronization. Once synchronized, repeat the process on the other firewall. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Basic Concept: SSL/TLS service profiles secure firewall-hosted TLS services by binding certificates and protocol settings.

Why A and B are Correct: Authentication Portal and GlobalProtect Portal are services that present TLS certificates and use SSL/TLS service profiles.

Why C is Wrong: LDAP server profiles is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: Prisma Access service connections is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: OCSP and CRL both check certificate revocation, but OCSP performs on-demand status checks instead of downloading full revocation lists.

Why B is Correct: OCSP is more scalable for large deployments because it returns real-time status for a certificate with lower memory and download overhead.

Why A is Wrong: OCSP allows the firewall to act as its own certificate authority (CA), and it simplifies certificate management. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: OCSP is an older, more widely supported protocol than CRLs. ensuring compatibility with all client devices. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: OCSP bundles all certificate statuses into a single, digitally signed file for faster downloads by the firewall. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: Packet-Based Attack Protection in a Zone Protection profile handles malformed packet attacks such as non-SYN TCP floods and ICMP fragments, while flood and reconnaissance sections handle rate and scan behavior.

Why D is Correct: Packet-Based Attack Protection is correct because the examples are packet-structure/evasion issues, not application protocol decoding or discovery scans.

Why A is Wrong: Protocol Protection is a Zone Protection category, but it protects a different attack family than the packet-level or flood/reconnaissance behavior described.

Why B is Wrong: Flood Protection is a Zone Protection category, but it protects a different attack family than the packet-level or flood/reconnaissance behavior described.

Why C is Wrong: Reconnaissance Protection is a Zone Protection category, but it protects a different attack family than the packet-level or flood/reconnaissance behavior described.

Basic Concept: CN-Series is Palo Alto Networks' containerized NGFW form factor for Kubernetes. It secures east-west traffic between pods, namespaces, and microservices using Panorama-managed policy.

Why D is Correct: CN-Series firewalls are correct because they are built for Kubernetes insertion, unlike Panorama RBAC or automation modules, which manage or deploy but do not inspect microservice traffic.

Why A is Wrong: Service graph is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: Ansible automation modules is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Panorama role-based access control (RBAC) is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: GlobalProtect split tunneling can separately control network routes and DNS resolution. Split DNS decides whether queries for specific domains use VPN-assigned DNS servers or local DNS.

Why D is Correct: The Both Network Traffic and DNS option allows selected domains to resolve through corporate DNS while other domains use the endpoint's local resolver.

Why A is Wrong: It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why B is Wrong: It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: It allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Explicit proxy makes the firewall the web proxy endpoint; users configure browsers to send web requests to the firewall, and the firewall creates the upstream server connection.

Why B is Correct: Explicit proxy is correct because it meets the requirement that the firewall, not the workstation, establishes outbound web sessions and enforces authentication.

Why A is Wrong: Transparent proxy is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: GlobalProtect with User-ID is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Decryption policy with Authentication Portal is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Content update thresholds protect mission-critical environments from immediately installing faulty content packages. Higher thresholds favor stability.

Why B is Correct: Increasing to 48 hours aligns with mission-critical best practice by delaying installation long enough for widespread update issues to surface.

Why A is Wrong: Change to "download only" and schedule manual installation. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Decrease to 12 hours. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Reset to reconfirm 24 hours. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: A Forward Trust certificate used for SSL Forward Proxy must be trusted by endpoints. Otherwise users see certificate trust warnings for decrypted sites.

Why D is Correct: Installing the public CA certificate into client trust stores is the required next step because the firewall signs substitute server certificates during forward proxy decryption.

Why A is Wrong: Set the forward trust certificate as the SSL/TLS Service profile for the management interface. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: Create a Security policy rule that allows traffic from the certificate of the firewall to all the zones. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: Import the private key of the forward trust certificate onto the domain controller. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: In active/passive HA, LACP delays can occur if the passive peer did not negotiate before becoming active. PAN-OS can keep LACP active in passive state.

Why C is Correct: Enable in HA passive state allows pre-negotiation and minimizes LACP convergence delay during failover.

Why A is Wrong: Enable LACP fast failover. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why B is Wrong: Set LACP mode to passive. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why D is Wrong: Set HA link monitoring to aggressive. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Basic Concept: Explicit proxy forces browsers to connect to the firewall as the proxy, and Kerberos provides transparent SSO against Active Directory. This meets environments where users must not connect directly to websites.

Why D is Correct: Explicit proxy with Kerberos is correct because the firewall establishes the server-side connection while authenticating users with AD credentials in a seamless way.

Why A is Wrong: Deploy the transparent proxy with Web Cache Communications Protocol (WCCP). is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: Deploy the Next-Generation Firewalls as normal and install the User-ID agent. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Deploy the Advanced URL Filtering license and captive portal. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: GCP multi-zone firewall resilience is achieved through managed instance groups or instance groups across zones behind a load balancer.

Why C is Correct: A multi-zone instance group of VM-Series firewalls behind a GCP Internal Load Balancer maintains service when one zone fails.

Why A is Wrong: Ansible playbook that monitors the health of the primary firewall and launches a new one in a different zone when a failure is detected is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why B is Wrong: Single, large VM-Series firewall in one zone that is configured for live migration to another zone upon failure is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why D is Wrong: PAN-OS active/active high availability (HA) cluster configured with dedicated HA interfaces in a shared VPC is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Basic Concept: Active/passive HA upgrades minimize downtime by upgrading one peer at a time and intentionally failing traffic to the peer that is ready to forward.

Why A is Correct: Suspending the active firewall forces failover, allowing the suspended/passive unit to be upgraded and validated before traffic is moved back and the second unit is upgraded.

Why B is Wrong: Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why C is Wrong: Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why D is Wrong: Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Basic Concept: Policy-based VPN peers require each encryption domain pair to be represented in Proxy ID selectors. Adding a subnet requires adding the matching selector.

Why C is Correct: The most likely cause is that the new local/remote subnet pair is missing from Proxy ID configuration even though route and Security policy are correct.

Why A is Wrong: A static route may be needed for route-based VPN reachability, but the scenario says routing is correct and only the newly added subnet pair fails.

Why B is Wrong: Moving the Security policy would matter if the traffic were matching the wrong rule, but the scenario states that Security policy is already correct.

Why D is Wrong: MTU problems usually affect packet size and fragmentation behavior, not only a newly added policy-based VPN subnet selector.

Basic Concept: Group-based policy requires group mapping, and group mapping requires a directory connection. LDAP Server profiles establish that directory connection.

Why A is Correct: Creating an LDAP server profile first lets PAN-OS query Active Directory for group membership used in Security policy.

Why B is Wrong: User-ID agent service account is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Authentication sequence is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Kerberos server profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Service routes can move firewall-originated Palo Alto Networks service traffic from the management port to a data-plane interface when the management network lacks Internet access.

Why C is Correct: Palo Alto Networks Services must be rerouted so the firewall can reach update and support services through the data-plane path.

Why A is Wrong: External dynamic lists are downloaded objects that can be used in policy. They are not the Palo Alto Networks update service used for threat prevention and software downloads.

Why B is Wrong: GlobalProtect Clientless VPN provides browser-based access to internal applications. It is unrelated to downloading PAN-OS software or content updates.

Why D is Wrong: Syslog is used to forward logs to external collectors. Rerouting syslog would not allow the firewall to reach Palo Alto Networks update services.

Basic Concept: CN-Series is deployed natively into Kubernetes clusters and managed by Panorama to enforce consistent policy across container environments.

Why C is Correct: Using Kubernetes tools such as Helm to deploy CN-Series in each cluster and managing all instances through Panorama satisfies east-west inspection, scaling, and policy consistency.

Why A is Wrong: Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why B is Wrong: Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why D is Wrong: Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Basic Concept: Policy-based third-party VPN gateways require matching traffic selectors. PAN-OS represents those selectors as Proxy IDs under the IPSec tunnel configuration.

Why A is Correct: Defining local and remote subnets in Proxy ID settings aligns PAN-OS with the Check Point encryption domain and resolves Phase 2 failures.

Why B is Wrong: Create individual Security policies for each pair of local and remote subnets. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: Assign a specific IP address to the tunnel interface to match the Check Point gateway. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: Enable Dead Peer Detection (DPD) in the IKE Gateway configuration. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Enabling Strata Logging Service alone can stop duplicate delivery to on-premises collectors. Duplicate logging is required when both destinations must receive logs.

Why B is Correct: The missed setting is duplicate logging under Device > Setup > Management, which keeps cloud and on-premises log forwarding active together.

Why A is Wrong: The device certificates for the Panorama log collectors were not renewed after enabling the cloud logging connection. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: The Log Forwarding profile was modified to send logs only to the Strata Logging Service and no longer includes the on-premises Panorama log collectors. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: The Panorama log collectors were not defined as primary destinations within the collector group configuration for the managed firewalls. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: Inter-VSYS communication requires correct external zones, routes, policies, and visibility. If routing and policies are already correct, visibility is the missing enabling step.

Why C is Correct: Visible Virtual System is the probable cause because PAN-OS must know the peer VSYS is visible before the external-zone handoff can work.

Why A is Wrong: Intrazone-default applies to traffic within the same zone. Inter-VSYS traffic uses external zones and explicit policy, so this is not the likely failure when those policies are already correct.

Why B is Wrong: A tunnel interface is not required for inter-VSYS traffic that remains inside the firewall. The next-vr and external-zone design is the supported model.

Why D is Wrong: External zone type is required, but the scenario already describes traffic to and from external zones with routing and policy correct. The missing element is VSYS visibility.

Basic Concept: VSYS resource quotas can cap specific rule and object capacities. This prevents one virtual system from exhausting shared configuration capacity.

Why B is Correct: Maximum SSL decryption rules is a valid quota-style limit from the listed options.

Why A is Wrong: Percentage of total CPU utilization mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Why C is Wrong: Maximum number of virtual routers mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Why D is Wrong: Disk space allocation for logs mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Basic Concept: IPSec implementation planning must include Security policy for tunnel establishment and for decrypted data traffic through the tunnel zone.

Why B and D are Correct: A data-policy pair is required for flows through the tunnel zone, and a policy must permit the IPSec container application to the firewall/local endpoint.

Why A is Wrong: The default interzone-default security policy is sufficient to allow the tunnel negotiation traffic between the firewall and the remote peer. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: A policy must explicitly permit only the IKE application between the external-facing zone and local zone. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Admin Role Profiles implement role-based administrative access on PAN-OS. They define exactly which management operations an administrator may perform.

Why C is Correct: Granular task permissions are correct because Admin Role Profiles limit administrator capabilities rather than enabling MFA or unrestricted access.

Why A is Wrong: Allow access to all resources without restrictions. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: Enable multi-factor authentication (MFA) for administrator access. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Restrict access to sensitive report data. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Terraform is a declarative Infrastructure as Code tool used to provision infrastructure consistently. In Palo Alto Networks deployments, it is commonly used to build cloud network components and instantiate VM-Series or Cloud NGFW resources.

Why C is Correct: Terraform is correct because it defines infrastructure state in code and automates repeatable NGFW deployment instead of manually building each firewall and network dependency.

Why A is Wrong: Logging services collect or forward telemetry after deployment. Terraform does not store performance logs; it provisions infrastructure resources.

Why B is Wrong: Real-time traffic inspection is performed by the NGFW data plane, not by Terraform. Terraform only builds or changes infrastructure state.

Why D is Wrong: Threat intelligence synchronization is handled by Palo Alto Networks content services and firewall subscriptions, not Terraform.

Basic Concept: Zone type is the PAN-OS category that matches interface mode. Valid selectable zone types include Layer 2 and Layer 3, among others.

Why A and B are Correct: Layer 3 and Layer 2 are valid zone types; Management and DMZ are not PAN-OS zone types, although DMZ is often used as a zone name.

Why C is Wrong: Management is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: DMZ is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Cloud firewalls in CSP environments achieve zone-level resilience through cloud-native load balancers and health checks, not traditional appliance HA links across zones.

Why C is Correct: Load balancers and health probes keep traffic flowing to healthy firewall instances across availability zones, which is the cloud-native HA pattern.

Why A is Wrong: Deploying Ansible scripts for zone-specific scaling is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why B is Wrong: Implementing Terraform templates for redundancy within one availability zone is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why D is Wrong: Configuring active/active HA is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Basic Concept: DHCP client requires a routed interface that can obtain an IP configuration. Layer 2 interfaces do not function as routed DHCP clients.

Why D is Correct: DHCP client is available on a Layer 3 interface and not on Layer 2 interfaces.

Why A is Wrong: NetFlow profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: LLDP profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: QoS profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Logical routers are available only after Advanced Routing is enabled globally. This is a general setting change on the firewall.

Why D is Correct: Checking advanced routing in General settings is the required first action before logical router objects can be configured.

Why A is Wrong: Changing the virtual router type from "default" to "advanced" is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why B is Wrong: Activating an advanced routing subscription is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: Committing a new advanced routing software module is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: The management interface can be configured as a DHCP client from the CLI under deviceconfig system settings. This lets the management port learn its IP information dynamically.

Why C is Correct: The command using deviceconfig system type dhcp-client is correct for setting the management interface to DHCP client mode.

Why A is Wrong: set network dhcp interface management is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: set network dhcp type management-interface is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: set deviceconfig management type dhcp-client is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Inter-VSYS communication that stays inside the firewall requires external zones, routes, policies, and visibility between virtual systems. Missing visibility prevents the handoff even when policies exist.

Why B is Correct: Adding each VSYS to the other's visible virtual systems list is required so the external-zone/next-vr relationship can resolve the peer VSYS.

Why A is Wrong: Create a transit VSYS and route all inter-VSYS traffic through it. mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Why C is Wrong: Enable the “allow inter-VSYS traffic” option in both external zone configurations. mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Why D is Wrong: Create Security policies to allow the traffic between the two external zones. mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Basic Concept: Strata Logging Service can receive logs from Panorama-managed firewalls while existing on-premises Panorama log collection is retained. Dual forwarding requires duplicate logging rather than replacing the existing destination.

Why C is Correct: Enable Duplicate Logging is correct because it sends copies to both Strata Logging Service and Panorama/on-premises log collectors instead of moving logs only to the cloud.

Why A is Wrong: Changing Log Forwarding profile match lists is not the required global/template step for preserving both cloud and on-premises log destinations.

Why B is Wrong: The named option is not the duplicate logging control required to send a copy of logs to both locations.

Why D is Wrong: Enable Cloud Logging sends logs to Strata Logging Service, but by itself it does not preserve on-premises Panorama log collector delivery.

Basic Concept: HA3 is unique to active/active HA and forwards packets between peers when traffic is asymmetric or a session must be processed by the other firewall.

Why B is Correct: Packet forwarding for session setup and asymmetric traffic is the dedicated HA3 role.

Why A is Wrong: Control plane synchronization for heartbeats and state information is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why C is Wrong: Management plane synchronization for configurations and policies is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why D is Wrong: Data plane synchronization for session tables and forwarding tables is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Basic Concept: SSL/TLS service profiles bind a certificate and protocol settings to firewall services that present HTTPS/TLS endpoints. GlobalProtect portal and gateway are classic examples.

Why C and D are Correct: GlobalProtect Gateways and GlobalProtect Portals use SSL/TLS service profiles to define the server certificate and TLS parameters presented to connecting endpoints.

Why A is Wrong: NAT tables is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: User Authentication is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.