General Exam Tips
- 1.Read ALL answer options before choosing — Palo Alto scenario questions often have two plausible answers where one is subtly more correct based on a constraint in the scenario
- 2.The passing score is 860/1000 — that is 86%. There is no partial credit and no penalty for wrong answers, so never leave a question blank
- 3.With 75 questions in 90 minutes, you have roughly 72 seconds per question after NDA. Mark difficult questions and return — do not stall on a single question
- 4.Testlet (scenario-based) questions present a paragraph scenario followed by multiple related questions. Read the scenario carefully and note the specific constraint — the answer often hinges on a single word like 'cloud-delivered,' 'mobile users,' or 'branch office'
- 5.Panorama questions are consistently underestimated. Candidates who skip deep Panorama study consistently miss 3-5 questions in this area alone
- 6.When a question mentions 'centralized management' think Panorama. When it says 'policy' think device group. When it says 'network config' or 'system settings' think template stack
- 7.Any question asking about traffic NOT being inspected despite an allow rule — the answer is almost always 'no security profile attached'
- 8.On NAT questions, always ask: is this about the security policy (pre-NAT IP) or the NAT rule itself (also pre-NAT IP for destination zone lookup)? The rule is: pre-NAT IP, post-NAT zone, everywhere
- 9.For SASE questions, match the user type to the solution: mobile/remote users = Prisma Access mobile user connections; branch offices = Prisma Access remote network connections; campus/data center = on-premises NGFW
- 10.Drag-and-drop questions often test processing order. Know the firewall traffic flow sequence: ingress → route lookup → NAT lookup → security policy → Content-ID/decryption → egress
Quick Navigation
Network Security Fundamentals
Must-Know Facts
- Zero Trust means 'never trust, always verify' — NOT 'block everything.' Trust is earned through continuous verification, not assumed based on network location
- Defense-in-depth requires DIFFERENT control types at each layer — layering the same control type (e.g., two firewalls) is redundancy, not defense-in-depth
- Application-layer inspection (Layer 7) is the core differentiator of NGFW over traditional firewalls. Traditional firewalls inspect up to Layer 4 (ports/protocols) only
- Encrypted traffic CANNOT be inspected by Content-ID without SSL/TLS decryption being enabled — this is a common oversight that leads to blind spots
- Network segmentation limits lateral movement after a breach but does not prevent the initial compromise or authenticate users — these require different controls
- RADIUS is used for network access authentication (captive portal, admin auth). LDAP is used for user directory lookups in User-ID. SAML is used for SSO federation (cloud apps, Prisma Access). Know when each applies
- Microsegmentation extends segmentation to individual workloads/applications, not just network VLANs — relevant for Zero Trust implementation in modern environments
- IPsec operates at Layer 3 (network layer). SSL/TLS operates at Layer 4-7 (transport/application). GlobalProtect can use both IPsec and SSL transport modes
Common Traps
Confusing Pairs
Scenario Tips
When asked which technology prevents lateral movement AFTER an attacker has already compromised one host in a segment...
Microsegmentation (enforced by the NGFW) — it limits what the compromised host can reach even within the same network segment
SSL decryption is wrong here — it provides visibility into encrypted traffic but does not limit lateral movement. Network segmentation at the VLAN level is also wrong because the attacker is already inside the segment
When asked how to inspect traffic inside HTTPS sessions for malware despite traffic being encrypted...
Enable SSL/TLS decryption (forward proxy for outbound traffic). Only after decryption can Content-ID scan the content inside the HTTPS sessions
App-ID alone is wrong — it can identify the application type (web browsing, Salesforce, etc.) but cannot inspect the payload content without decryption. URL Filtering is also wrong — it can block URLs but cannot scan the decrypted payload for embedded malware
Last-Minute Facts
NGFW and SASE Solution Functionality
Must-Know Facts
- App-ID is the first technology to run on traffic — it identifies the application BEFORE Content-ID scans content. If App-ID cannot identify the application, it falls back to port-based classification
- Content-ID requires a security profile (Antivirus, Anti-Spyware, Vulnerability Protection) attached to an ALLOW rule. Profiles on DENY rules serve no purpose because traffic is already blocked before Content-ID runs
- User-ID maps IP addresses to usernames. Without an active mapping, user-based policies cannot match — the traffic will either match an any-user rule or be denied
- WildFire sends unknown files to the CLOUD for sandbox analysis by default. A local WildFire appliance (WF-500) is available for sensitive environments that cannot send data externally
- Prisma Access provides SASE: same App-ID/Content-ID/User-ID security capabilities as on-premises NGFW, delivered from the cloud. It is not a web proxy — it provides full NGFW-equivalent inspection
- GlobalProtect portal = authentication hub + configuration delivery to clients. GlobalProtect gateway = actual VPN tunnel endpoint + policy enforcement. They are separate components and can be on different firewalls
- SD-WAN in PAN-OS is integrated into the same management interface as security policies — it is not a separate product. Path quality metrics (latency, jitter, packet loss) trigger automatic path switching
- Single-pass parallel processing: the firewall inspects each packet ONE time through all engines simultaneously (App-ID + Content-ID + threat scanning). This is how high throughput is maintained with full inspection enabled
Common Traps
Confusing Pairs
Scenario Tips
Traffic is allowed by a security rule but no threat logs appear for matched sessions...
No security profile is attached to the allow rule. Add an Antivirus/Anti-Spyware/Vulnerability Protection profile (or a Security Profile Group) to the rule
A common wrong answer is 'WildFire subscription expired' — WildFire generates separate WildFire logs, not threat logs. The absence of threat logs points directly to missing threat prevention profiles
A user can authenticate to GlobalProtect but cannot access internal resources...
The GlobalProtect gateway is misconfigured (tunnel not established) OR the security policy is missing a rule that allows traffic from the GlobalProtect zone to the internal zone. Check gateway configuration first, then policy
User-ID agent is a wrong answer — User-ID maps internal users; GlobalProtect itself passes user identity to the gateway. The portal certificate is wrong — if they can authenticate, the portal is working
Company wants to secure 500 remote workers with the same policy controls as corporate headquarters, without deploying firewalls at each home location...
Prisma Access with mobile user connections — cloud-delivered NGFW security follows the user. GlobalProtect connects users to Prisma Access nodes
Deploying a VM-Series firewall in a cloud region is wrong — that is a fixed-location firewall, not a mobile user solution. GlobalProtect alone is wrong — it needs a gateway (Prisma Access provides that gateway in the cloud)
Last-Minute Facts
Platform Solutions, Services, and Tools
Must-Know Facts
- Three Palo Alto Networks product pillars: Strata (network security — NGFW hardware and virtual), Prisma (cloud and SASE security — Prisma Access, Prisma Cloud), Cortex (security operations — XSIAM, XDR, XSOAR). Each pillar contains multiple products
- CDSS services require SEPARATE subscription licenses — they are NOT included with the NGFW purchase. The base NGFW includes App-ID, security policy, and User-ID. Everything under CDSS costs extra
- Advanced URL Filtering (CDSS) differs from standard URL Filtering: it adds real-time inline ML-based phishing and credential theft detection. Standard URL Filtering uses a static database. Questions that ask about blocking zero-day phishing URLs = Advanced URL Filtering
- Advanced Threat Prevention (CDSS) differs from standard Threat Prevention: it adds inline ML-based detection of unknown/zero-day C2 traffic and evasive threats. Standard Threat Prevention uses known signatures only
- Decryption Broker (renamed Network Packet Broker in PAN-OS 10.1+): the firewall decrypts traffic ONCE and shares cleartext with multiple third-party inline tools. The third-party tools never see encrypted traffic and never decrypt anything themselves. Exam questions may use either term — the concept is identical
- Strata Cloud Manager is a cloud-native management tool that complements Panorama. It provides AI-powered best practice recommendations and unified health monitoring. It does NOT replace Panorama — they coexist
- Cortex XSIAM = autonomous SOC platform (SIEM + SOAR + ASM + XDR combined). Cortex XDR = endpoint and network detection and response. Cortex XSOAR = security orchestration, automation, and response (playbooks). Know which is which
- SaaS Security (CDSS): discovers and controls sanctioned vs unsanctioned SaaS apps (shadow IT). Enterprise DLP (CDSS): detects and prevents sensitive data exfiltration across network traffic. DNS Security (CDSS): blocks DNS-layer threats including tunneling and C2
Common Traps
Confusing Pairs
Scenario Tips
Organization needs to detect and block zero-day command-and-control traffic inline without waiting for signature updates...
Advanced Threat Prevention (CDSS). It uses inline machine learning to detect novel C2 patterns that have no existing signatures
Standard Threat Prevention is wrong — it is signature-based and cannot detect zero-day C2 without a signature. WildFire is wrong — WildFire analyzes FILE threats, not network C2 traffic patterns
Company wants to provide a third-party forensics appliance with decrypted copies of all HTTPS traffic for investigation without deploying SSL decryption on the forensics appliance itself...
Decryption Broker (called Network Packet Broker in PAN-OS 10.1+). The NGFW decrypts traffic once and distributes cleartext to the connected forensics appliance via an inline security chain
Decryption Mirror is a similar but different feature — Decryption Mirror sends decrypted traffic to a single passive tap destination (out-of-band, cannot block); Decryption Broker/Network Packet Broker supports active inline tool chaining (in-band, tools can drop traffic)
Which Palo Alto product pillar should you reference when asked about securing cloud workloads in AWS and Azure?
Prisma (specifically Prisma Cloud). Cloud workload security = Prisma pillar. Network security = Strata pillar. Security operations = Cortex pillar
Strata is wrong even though VM-Series firewalls can run in cloud environments — cloud WORKLOAD security (containers, serverless, cloud configs) = Prisma Cloud
Last-Minute Facts
NGFW and SASE Solution Maintenance and Configuration
Must-Know Facts
- The single most tested NAT rule: security policies use PRE-NAT IP addresses but POST-NAT zones. This applies to both source NAT and destination NAT. For DNAT: the security rule destination = original public IP (pre-NAT), destination zone = the zone where the internal server lives (post-NAT zone)
- PAN-OS candidate configuration model: ALL changes are made in the candidate config. NOTHING takes effect until a successful commit. A failed commit leaves the running config unchanged and all pending changes in the candidate config for the admin to fix
- Security policy rule processing is TOP-DOWN, FIRST MATCH. The implicit deny at the bottom catches all unmatched traffic. Rule order is critical — a broad allow rule above specific deny rules will override the denies
- Interface types and their use cases: Layer 3 = routed mode (most common), Layer 2 = transparent bridge, Virtual Wire = invisible inline tap (for ISP inline deployment), Tap = passive SPAN monitoring only (cannot block), Tunnel = VPN endpoint
- Threat prevention profile configuration hierarchy: profile → action per severity (default/alert/block/reset). 'Default' action uses the Palo Alto recommended action per signature. 'Strict' overrides ALL signatures to block. Custom lets you set per-severity actions
- GlobalProtect HIP (Host Information Profile) checks evaluate ENDPOINT health: patch level, antivirus installation, disk encryption status, firewall running. HIP does NOT check network connectivity or VPN tunnel health
- Content update installation order: install dynamic content updates (Applications and Threats, Antivirus, WildFire) BEFORE upgrading PAN-OS. This ensures compatibility and reduces the risk of signature gaps during the upgrade
- URL Filtering profile actions: allow (permit), alert (permit + log), block (deny), continue (permit after user clicks through warning), override (permit after entering password). 'Continue' is commonly confused with 'block'
Common Traps
Confusing Pairs
Scenario Tips
When asked to write a security rule to allow external users to access an internal web server at 10.1.1.100, where the server is published via DNAT from public IP 203.0.113.10...
Security rule destination = 203.0.113.10 (pre-NAT public IP). Destination zone = the zone where 10.1.1.100 resides (post-NAT zone, e.g., 'DMZ'). This is the pre-NAT IP, post-NAT zone pattern
Using 10.1.1.100 as the destination IP in the security rule is wrong. The firewall evaluates the security policy BEFORE applying NAT translation, so it sees the original public IP at policy evaluation time
Administrator makes 20 configuration changes over two hours, then commits. The commit fails because one rule references an undefined address object. What happens to the other 19 changes?
All 19 valid changes remain in the candidate configuration unchanged. Nothing is applied to the running configuration. The admin must fix the undefined address object reference and recommit
The wrong answer is 'the 19 valid changes are applied and the invalid rule is rejected.' PAN-OS commits are atomic — nothing is ever partially applied
A security administrator wants users to see a warning when visiting social media sites during work hours, but still be allowed to proceed if needed...
URL Filtering profile with action 'continue' for the social-media category. This presents a warning page the user must acknowledge before the site loads
'Alert' is wrong — alert permits access AND logs it silently without showing the user any warning. 'Block' is wrong — that prevents access entirely. 'Continue' is the specific action that requires user acknowledgment
GlobalProtect HIP check fails for a remote user and they are placed in a restricted access role. The user says their antivirus IS installed. What should the administrator check?
Verify the HIP profile criteria matches the actual antivirus product the user has installed. The HIP check may be looking for a specific vendor or version that does not match the installed product. Also check if the GlobalProtect agent version supports the HIP check criteria
Checking the VPN tunnel status is wrong — HIP failure and tunnel establishment are separate. The tunnel can be up while HIP fails and places the user in a restricted role
Last-Minute Facts
Infrastructure Management and CDSS
Must-Know Facts
- Panorama's core distinction: Device Groups push POLICIES (security rules, NAT rules, objects, profiles). Template Stacks push CONFIGURATIONS (interfaces, zones, routing, DNS, NTP, syslog settings). A firewall needs BOTH assigned to receive a complete managed configuration
- Template stack priority: when multiple templates in a stack define the same setting, the HIGHEST PRIORITY template wins. The most specific template (e.g., site-specific) should be at the top of the stack with the highest priority
- Certain settings can ONLY be configured locally on the managed firewall and cannot be pushed from Panorama templates: HA IP addresses for the HA1/HA2 interfaces, master key configuration, and interface-level management settings
- Panorama operating modes: Panorama mode (management + log collection on same appliance) vs Management Only mode (management without log collection — requires separate log collector appliances). Log Collectors must be added to Collector Groups
- High availability failover triggers: link failure (physical interface down), path failure (monitored remote IP unreachable), or HA heartbeat timeout. Preemption is DISABLED by default — the higher-priority firewall does NOT automatically take back active role after recovery unless preemption is explicitly enabled
- HA links: HA1 = control plane sync (heartbeats, config sync, routing updates). HA2 = data plane sync (session table, ARP table, IPsec SAs). HA3 = used ONLY in Active/Active for packet forwarding between peers
- Active/Active HA requires a floating IP address (Virtual MAC address) so that upstream devices can continue forwarding traffic to the same IP after a failover. Active/Passive only needs one active IP at a time
- CDSS services activated through Panorama apply to all firewalls in the relevant device group — you do not need to activate them individually on each firewall
Common Traps
Confusing Pairs
Scenario Tips
You manage 200 firewalls where all firewalls need the same security policies but different DNS servers and NTP servers based on region...
One shared device group for the common security policies. Multiple region-specific template stacks for the different DNS/NTP system settings. This is the canonical Panorama design question
Multiple device groups per region is wrong — that duplicates identical security policies unnecessarily. One template for everything is wrong — you cannot have one template with different DNS values for different regions without override complexity
Firewall-A (priority 10, lower = higher priority) was the active firewall and failed. Firewall-B (priority 100) took over. Firewall-A recovers. What is the active firewall now?
Firewall-B remains active. Preemption is disabled by default — the higher-priority firewall (A) does NOT automatically reclaim the active role. Firewall-A will be passive until an admin manually initiates failover or preemption is enabled
Firewall-A automatically becoming active is wrong unless preemption is explicitly enabled in the HA configuration
You push an updated template from Panorama that changes DNS server settings, but one firewall in the region still uses the old DNS servers...
The firewall likely has a local override for the DNS setting. Local overrides on managed firewalls take precedence over Panorama template pushes for that specific setting. Check for local overrides and remove them if Panorama should own that setting
Wrong to assume the commit failed — if other firewalls received the update, the push likely succeeded. The issue is a local override on that specific device
Last-Minute Facts
Connectivity and Security
Must-Know Facts
- IPsec VPN IKE phases: Phase 1 establishes the IKE Security Association (SA) — authenticates peers and negotiates the management channel using pre-shared key or certificates. Phase 2 establishes the IPsec SA — negotiates encryption for actual data traffic and defines proxy IDs (traffic selectors)
- Proxy ID mismatch is the #1 cause of Phase 2 (IPsec SA) failure. Proxy IDs define which source/destination IP ranges are encrypted. Both VPN peers must have MATCHING proxy IDs. Phase 1 passes, Phase 2 fails = proxy ID mismatch
- SSL Forward Proxy requires the firewall's CA certificate to be trusted by client endpoints. Without trusting the CA cert (via GPO, MDM, or manual installation), clients will see SSL certificate warnings for every HTTPS site
- SSL Inbound Inspection (for servers you control) requires the actual server's private key and certificate to be imported on the firewall. The firewall decrypts inbound sessions using the server's own credentials
- SSL decryption exclusions: certain categories should never be decrypted — financial institutions, healthcare, government sites (regulatory compliance), and sites with certificate pinning that breaks under MITM inspection. Define exclusions in the decryption policy
- Policy-Based Forwarding (PBF) is evaluated BEFORE the routing table. If a PBF rule matches, the routing table is bypassed entirely for that traffic flow. PBF uses source-based criteria (source IP, source user, application) rather than destination-based routing
- Zone Protection Profiles protect ZONES from flood and reconnaissance attacks. DoS Protection Profiles (applied via DoS Policy Rules) protect SPECIFIC DESTINATIONS from targeted flood attacks. Zone = broad zone-level protection. DoS policy = granular per-destination protection
- Certificate revocation: OCSP (Online Certificate Status Protocol) checks certificate status in real time. CRL (Certificate Revocation List) downloads a list of revoked certificates periodically. OCSP is faster and more current; CRL requires periodic downloads
Common Traps
Confusing Pairs
Scenario Tips
Site-to-site IPsec VPN tunnel fails. IKE Phase 1 logs show 'COMPLETED' but the tunnel still does not pass traffic and Phase 2 shows 'FAILED'...
Mismatched proxy IDs. Check that the local network and remote network definitions in the IPsec Tunnel configuration match exactly on both peers. The source/destination IP ranges, protocol, and port must be identical on both sides
Pre-shared key mismatch is wrong — that causes Phase 1 to fail. If Phase 1 completed, the PSK matched. Wrong IKE gateway address is also wrong for the same reason
After enabling SSL Forward Proxy decryption, users report that HTTPS banking sites are showing certificate errors. The admin confirms these sites should be excluded from decryption...
Add a decryption policy rule that matches financial/banking URL categories with action 'No Decrypt' ABOVE the general decryption rule. Decryption policies are evaluated top-down, first match wins — the no-decrypt rule must be above the decrypt rule
Disabling SSL decryption entirely is wrong — the requirement is to exclude specific categories, not disable all decryption. Trusting additional certificates is wrong — the issue is that the banking sites use certificate pinning or regulatory requirements prevent MITM
Company wants to route VoIP traffic from call center agents to a dedicated WAN link with lower latency, while other traffic uses the primary default route...
Configure a Policy-Based Forwarding (PBF) rule that matches the VoIP application and specifies the next-hop for the low-latency WAN link. PBF evaluates before the routing table and overrides it for matching traffic
OSPF equal-cost multipath is wrong — ECMP distributes ALL traffic evenly across equal-cost paths, not just VoIP. SD-WAN could be correct in a newer context but PBF is the more specific correct answer for application-based routing on NGFW