When a Palo Alto Networks firewall encounters a TLS session using an unsupported cipher suite or protocol version, and the Decryption Profile is configured to allow it, the firewall cannot decrypt the traffic. To maintain performance and avoid repeatedly attempting to decrypt sessions that are known to be undecryptable, the firewall bypasses decryption for the current session. It then adds the server's IP address and the Server Name Indication (SNI) to the SSL decryption exclusion cache. This ensures subsequent connections to the same server are not subjected to decryption attempts for a default period of 12 hours.

A: The firewall is designed to prevent protocol downgrade attacks, not to perform them as a function of its operation.

B: The firewall cannot continue decryption because the mode is unsupported. It allows the encrypted traffic to pass, but the decryption process is aborted for that session.

C: This is incorrect because the Decryption Profile is explicitly configured to allow unsupported modes, not block them. Blocking would be the action if the profile were set to "Block."

1. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0: In the section on Decryption Profiles

the behavior for unsupported parameters is detailed. For "Unsupported Cipher Suites

" it states: "If you select Decrypt

the firewall allows the connection but does not decrypt it. To prevent the firewall from attempting to decrypt future connections to the same site

it adds the site to the SSL decryption exclusion cache."

Source: Palo Alto Networks. (2023). PAN-OS® Administrator’s Guide 11.0. "Objects > Decryption Profile > SSL Forward Proxy Tab".

2. Palo Alto Networks TechDocs - Troubleshoot SSL Decryption: This document explains the mechanisms for handling decryption failures. It clarifies that when a session cannot be decrypted due to an unsupported cipher and the policy allows it

the server is added to an exclusion cache to prevent future decryption attempts.

Source: Palo Alto Networks. (n.d.). Troubleshoot SSL Decryption. "SSL Decryption Not Working as Expected". Retrieved from the official Palo Alto Networks TechDocs portal.

3. Palo Alto Networks TechDocs - SSL Decryption for Advanced Users: This resource details the internal workings

including the exclusion cache. It confirms that servers using unsupported ciphers are added to this cache to optimize performance by bypassing future decryption attempts.

Source: Palo Alto Networks. (n.d.). SSL Decryption for Advanced Users - LIVEcommunity. "SSL Decryption Failure Handling".

The image displays the "Server Monitoring" panel on a Palo Alto Networks firewall. This interface is used to check the status of the integrated User-ID agent's connections to various servers for collecting user-to-IP address mappings. The single entry shows a Host named lab-client, which is identified by Type as a Domain Controller. The Status is Connected, confirming that the firewall's User-ID agent has successfully established a connection to the domain controller named lab-client to monitor its security event logs.

B. The host lab-client has been found by a domain controller. This is incorrect. The panel shows the firewall's User-ID agent monitoring the server; lab-client is the domain controller being monitored, not a host found by it.

C. The host lab-client has been found by the User-ID agent. This statement is too general. Option A is more precise by specifying that lab-client is a Domain Controller, a key detail shown in the Type column.

D. The User-ID agent is connected to the firewall labeled lab-client. This is factually wrong. The Type column explicitly identifies lab-client as a Domain Controller, not a firewall.

1. Palo Alto Networks PAN-OS® Administrator's Guide 10.2: In the chapter "User-ID

" the section "Configure the Integrated User-ID Agent to Monitor a Server" describes this functionality. The guide explains that the Server Monitoring table (Device > User Identification) shows the connection status between the firewall and the monitored servers

such as Domain Controllers. The Status column indicates if the connection is successful (Connected).

2. Palo Alto Networks PAN-OS® Administrator's Guide 11.0: The section "Monitor User-ID" states

"To verify that the firewall is successfully connecting to the servers you configured for monitoring

select Device > User Identification and

in the Server Monitoring section

view the Status for each server." This directly corresponds to the graphic

confirming it shows the firewall's connection status to a monitored server.

3. Palo Alto Networks

"User-ID™ Technology Overview" White Paper: This document explains that the firewall can be configured to directly monitor the security event logs of a Microsoft Domain Controller to map users to IP addresses. The Server Monitoring panel is the tool used to verify this connection.

According to Palo Alto Networks GlobalProtect documentation, split-tunnel exclusions can be defined by (1) destination domain names, (2) identified HTTP/HTTPS video-streaming applications, and (3) the local client application process name or executable. These methods allow traffic that matches any of those criteria to bypass the VPN tunnel while all other traffic remains in the secure tunnel. No mechanism exists to base split-tunneling on user/group, generic URL categories, or “source domain”.

A. Destination user/group – Split-tunneling decisions are not user- or group-aware; they are packet attribute–based.

B. URL Category – Only the special “video-streaming” category is supported, not arbitrary URL categories.

E. Source Domain – Decisions use destination domain (FQDN) the client contacts, not any “source” domain concept.

1. Palo Alto Networks

PAN-OS 10.2 GlobalProtect Administrator’s Guide

“About GlobalProtect Split Tunneling

” Table 1: Split-Tunnel Traffic Match Criteria (destination domain

video-streaming apps

client app process).

2. Palo Alto Networks

PAN-OS 10.2 GlobalProtect Administrator’s Guide

“Configure Split Tunnel Based on Domains

Applications

and HTTP/HTTPS Video Streaming

” Steps 2–4 (pp. 438-441).

3. Palo Alto Networks TechDocs

“Split Tunnel for GlobalProtect VPN” (doc ID GP-ST-10.2)

sections “Exclude by Destination Domain”

“Exclude Video Streaming Traffic”

“Exclude by Client Application”.

To enable communication between virtual systems (vsys) that use separate virtual routers (VRs), three key configurations are required, in addition to security policies. First, the virtual systems must be configured to be "visible" to each other, which is a prerequisite for any inter-vsys interaction. Second, an "external" zone must be created in the source vsys, and the interface belonging to the destination vsys must be added to it. This logically connects the two systems. Third, a static route must be configured in the source VR with a next-hop type of next-vr, specifying the destination VR to which the traffic should be forwarded.

B: While the zones will be Layer 3, the specific type required for inter-vsys communication is an "external" zone. This option is not precise enough.

C: A next-hop of "none" is used for discard routes or for traffic destined for a directly connected network, not for routing between virtual routers.

1. Palo Alto Networks Documentation (PAN-OS® Administrator's Guide 10.2): The section "Configure Inter-VSYS Routing" outlines the precise steps.

Step 1: Make Virtual Systems Visible to One Another: "Before you can route traffic between virtual systems

you must make them visible to one another." This supports option E.

Step 2: Configure an External Zone and Add an Interface: "Create a zone of the type External... An external zone allows you to route traffic between virtual systems." This supports option A.

Step 3: Configure a Static Route with a Next Hop of next-vr: "Create a static route to forward traffic from the source virtual router... to the destination virtual router... For Next Hop

select next-vr and select the destination virtual router." This supports option D.

Source: Palo Alto Networks

"PAN-OS® Administrator's Guide 10.2

" Chapter: Virtual Systems

Section: Configure Inter-VSYS Routing.

2. Palo Alto Networks Documentation (PAN-OS® New Features Guide 8.1): The introduction of the next-vr option is detailed here

reinforcing its specific purpose.

"You can now configure a static route to direct traffic between two virtual routers (VRs) on the same firewall... To support this inter-VR routing

a new next hop type

next-vr

is available for IPv4 and IPv6 static routes." This directly validates the specific mechanism in option D.

Source: Palo Alto Networks

"PAN-OS® New Features Guide 8.1

" Chapter: Networking Features

Section: Static Route Next Hop for Inter-VR Routing.

The issue arises because the firewall does not trust the certificate authority (CA) that signed the certificate for https://www.very-important-website.com. Consequently, during SSL Forward Proxy, the firewall uses its configured "Forward Untrust Certificate" (Untrusted-CA) to re-sign the certificate, which the end-user's browser does not trust.

To resolve this, the firewall's trust store must be updated to recognize the website's CA (Well-Known-Root-CA) as trusted. By importing the root and intermediate CAs into the firewall and marking the root as a "Trusted Root CA," the firewall will correctly validate the website's certificate. It will then use its "Forward Trust Certificate" for re-signing, which clients are expected to trust, thus eliminating the warning for this specific site while still flagging genuinely untrusted sites.

A: The end-user systems already trust the Well-Known-Root-CA chain, as stated in the question. The problem is their lack of trust in the firewall's re-signing certificate (Untrusted-CA).

B: Clearing the "Forward Untrust Certificate" option in the decryption profile would cause the firewall to block, not just warn, users trying to access sites with untrusted certificates, failing to meet the requirement for the important website.

D: Device Certificates is the incorrect location. This area is for certificates that identify the firewall itself, not for the certificate authority trust store used to validate external servers.

1. Palo Alto Networks Documentation - Configure SSL Forward Proxy: "For the firewall to be able to decrypt and inspect the SSL/TLS traffic

you must set up a Forward Trust certificate and a Forward Untrust certificate... If the server certificate is signed by a CA that the firewall trusts

the firewall re-signs the server certificate with the Forward Trust certificate... If the server certificate is signed by a CA that the firewall does not trust

the firewall re-signs it with the Forward Untrust certificate." This explains the mechanism causing the issue.

2. Palo Alto Networks Documentation - Certificate Management: "The firewall uses certificates to secure communication and authenticate entities... To enable the firewall to validate the certificate chains of the servers it communicates with

you must load the CA certificates that sign those server certificates onto the firewall and configure them as trusted CAs." This directly supports the solution in option C. The section on "Import a Certificate" details the process of adding a CA to the trust store.

3. Palo Alto Networks Documentation - Decryption Concepts: "The firewall maintains its own list of trusted CAs... If the CA that signed the server certificate is not on the firewall’s trusted CA list

the firewall considers the server certificate untrusted." This confirms that the root cause is the firewall's trust store

which option C correctly addresses.

PAN-OS 11.0 (Nova) introduced the capability for a firewall to function as a DHCPv6 client with prefix delegation. This feature enables the firewall to request and obtain an IPv6 address and/or an entire IPv6 prefix from an upstream DHCPv6 server, such as one operated by an Internet Service Provider (ISP). The firewall can then use this delegated prefix to assign IPv6 addresses to clients on its internal networks, facilitating dynamic IPv6 address management in enterprise environments.

B. OSPF: OSPFv3, which supports IPv6, has been a feature in PAN-OS for many versions prior to 11.0 and is not a new addition.

C. DHCP Server: The firewall's ability to act as a DHCPv6 server was available in previous PAN-OS versions and is not a new feature in 11.0.

D. IKEv1: IKEv1 is an older VPN protocol. Its support for IPv6 transport is not a new feature introduced in PAN-OS 11.0.

1. Palo Alto Networks Documentation. (2022). PAN-OS® New Features Guide

Release 11.0. "Networking Features" section. The guide explicitly lists "DHCPv6 Client with Prefix Delegation" as a new feature. It states

"The firewall can now act as a DHCPv6 client to request and obtain an IPv6 address and/or an IPv6 prefix from a DHCPv6 server."

2. Palo Alto Networks Documentation. (2022). PAN-OS® Administrator's Guide

Release 11.0. "DHCP Overview" section. This guide details the configuration and functionality

confirming that DHCPv6 Client with Prefix Delegation is a new capability for obtaining prefixes from an ISP.

3. Palo Alto Networks Documentation. (2014). PAN-OS® Administrator's Guide

Release 6.0. "OSPF" section. This older documentation confirms that OSPFv3 for IPv6 was supported long before the PAN-OS 11.0 release

demonstrating it is not a new feature.

Panorama provides a centralized interface for managing dynamic updates across multiple firewalls. The primary deployment actions include: Schedules, which automate the download and installation of updates at specified times; Install, which allows an administrator to manually push a specific content version to managed devices on-demand; and Revert content, which provides a critical rollback mechanism to a previous version if a new update introduces issues. These three functions give administrators comprehensive control over the dynamic update deployment lifecycle, from automated rollouts to manual intervention and remediation.

A. Check dependencies: This is an automated background process that Panorama performs before an installation to ensure compatibility, not a user-selectable deployment option.

C. Verify: Integrity verification is an automatic part of the download process to ensure the file is not corrupt. It is not a manual deployment action.

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: In the section on managing updates from Panorama

the guide details the primary actions available.

Install: "To manually install a content update on a firewall

select Device Deployment > Dynamic Updates

locate the update

and click Install." (Paraphrased from the "Install Content Updates on a Firewall" section).

Schedules: "You can configure a recurring schedule for Panorama to retrieve and install new content updates on managed firewalls." (Referenced in the "Schedule Content Updates for a Firewall" section).

Revert content: "If a content update causes issues...you can revert to a previously installed version... In Panorama

select Device Deployment > Dynamic Updates... and for the device you want to revert

click Revert." (Referenced in the "Revert to a Previous Content Version" section).

2. Palo Alto Networks Panorama™ Administrator’s Guide 10.2: The "Deploy Updates to Firewalls and Log Collectors" section explicitly describes the workflow and options. It states

"From Panorama

you can deploy software and content updates to managed firewalls... You can install updates on-demand or create schedules for recurring updates." This section also details the "Revert" capability for content updates as a management action.

The purpose of the SSL Forward Untrust certificate is to handle sessions where the original server certificate is invalid or untrusted (e.g., expired, self-signed, wrong hostname). To ensure the end-user is alerted to this potential security risk, the firewall must present a certificate that the user's browser will not trust. A self-signed certificate generated on the firewall is inherently untrusted by client browsers unless it has been explicitly installed in their trust stores. Using this self-signed certificate for the Forward Untrust role correctly triggers a browser security warning, propagating the original trust issue to the user as required.

A. A web server certificate signed by the organization's PKI: This would be trusted by internal clients, thus hiding the certificate warning from the user, which is contrary to the goal.

C. A subordinate Certificate Authority certificate signed by the organization's PKI: This is the best practice for the SSL Forward Trust certificate, not the Forward Untrust certificate. It is designed to be trusted.

D. A web server certificate signed by an external Certificate Authority: This would be trusted by all standard browsers, which would prevent the user from receiving the necessary warning about the untrusted site.

1. Palo Alto Networks Administrator's Guide - PAN-OS 10.2

"Configure SSL Forward Proxy": "For sites with untrusted certificates

the firewall uses the Forward Untrust Certificate to present to the client so that the user sees a block page. If you do not configure a Forward Untrust certificate

the firewall uses a self-signed certificate by default." This confirms that a self-signed certificate is the standard and default mechanism for this function.

2. Palo Alto Networks Administrator's Guide - PAN-OS 10.2

"Decrypt a Server Session with an Untrusted Certificate": "When the firewall detects an untrusted server certificate

it presents a copy of the Forward Untrust Certificate to the client to block the session and inform the user that the site is untrusted." This directly states the function is to inform the user of the untrusted status.

3. Palo Alto Networks Administrator's Guide - PAN-OS 10.2

"Certificates": This section describes a self-signed certificate as one that is signed by its own private key and not by a trusted CA. This inherent lack of external validation is why it serves the "untrust" function perfectly in this scenario.

For installing the Windows-based User-ID agent, the best practice is to use a dedicated service account. This approach adheres to the principle of least privilege, where the account is granted only the minimum permissions necessary to perform its functions—specifically, the ability to read security event logs from domain controllers and/or probe client systems via WMI. Using highly privileged accounts like Domain or Enterprise Administrator is strongly discouraged as it introduces unnecessary security risks. The dedicated account's scope of access is limited, minimizing the potential impact if the account credentials were to be compromised.

B. System Account: This is a local account and lacks the required network permissions to read event logs from remote domain controllers, which is a primary function of the User-ID agent.

C. Domain Administrator: This account has excessive privileges. Using it for a service violates the principle of least privilege and creates a significant security vulnerability.

D. Enterprise Administrator: This is the most privileged account in an AD forest. Using it for the User-ID agent is a severe security risk and is not required.

1. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Configure a Service Account for the User-ID Agent". The documentation states

"For the User-ID agent to access the security logs on your domain controllers... you must configure a service account with the proper permissions." It then details the specific

limited permissions required

reinforcing the need for a dedicated

non-admin account.

2. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Install the Windows-Based User-ID Agent". In Step 4 of the installation procedure

it prompts for the username and password for the service

stating

"Enter the Username and Password for the service account that the User-ID agent will use to access servers." This implies a specific

pre-configured account.

Asymmetric routing causes the firewall to see only one direction of a traffic flow. This results in the firewall dropping packets for two main reasons: the initial packet it sees may not be a TCP SYN, and subsequent packets will not match an existing session.

To permanently allow this traffic, two actions can be taken:

1. Configure a Zone Protection Profile to apply to the affected zone(s). In this profile, setting Asymmetric Path to Bypass and Reject Non-syn-TCP to No instructs the firewall to permit asymmetrically routed traffic for that specific zone (Option A).

2. Globally disable the setting that rejects TCP sessions not initiated with a SYN packet. This is done using the configuration mode CLI command set deviceconfig setting session tcp-reject-non-syn no and then committing the change (Option D).

B: The > prompt indicates an operational mode command. This change is temporary and will not persist after a firewall reboot, failing the "permanently" requirement.

C: Setting the options to "Global" in a Zone Protection Profile instructs the firewall to use the system-wide default setting, which is to drop this traffic. This does not change the behavior to allow it.

1. Palo Alto Networks PAN-OS® Administrator's Guide 10.2

"Configure Zone Protection for Packet-Based Attack Protection": This section details the settings within a Zone Protection Profile. It states for "Reject Non-SYN TCP

" you can select "no to disable this protection." For "Asymmetric Path

" it states

"Select bypass to allow asymmetric routing." This validates the settings described in option A.

2. Palo Alto Networks PAN-OS® Administrator's Guide 10.2

"Session Settings": This document describes the global session settings. It confirms that tcp-reject-non-syn is a global setting that is enabled by default to protect against TCP session spoofing attacks. Disabling it is a common solution for asymmetric routing issues.

3. Palo Alto Networks CLI Reference Guide

"set deviceconfig setting session": This guide confirms that set deviceconfig setting session tcp-reject-non-syn no is the correct command syntax for permanently modifying the firewall's global session configuration. The # prompt signifies configuration mode

where changes can be committed and made permanent.