Basic Concept: Explicit proxy makes the firewall the web proxy endpoint; users configure browsers to send web requests to the firewall, and the firewall creates the upstream server connection.

Why B is Correct: Explicit proxy is correct because it meets the requirement that the firewall, not the workstation, establishes outbound web sessions and enforces authentication.

Why A is Wrong: Transparent proxy is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: GlobalProtect with User-ID is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Decryption policy with Authentication Portal is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Terraform is normally used for infrastructure provisioning, while Ansible is better suited for post-deployment configuration management.

Why B is Correct: Deploying the VM and network interfaces is the Terraform part of the workflow because it defines cloud or virtualization infrastructure resources.

Why A is Wrong: Pushing threat intelligence updates to the new firewall is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Why C is Wrong: Storing the credentials needed to access the vSphere environment is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Why D is Wrong: Applying the detailed Security policies and objects is an automation or management concept, but it performs a different role than the requested IaC provisioning, playbook configuration, or API object operation.

Basic Concept: Group-based policy requires group mapping, and group mapping requires a directory connection. LDAP Server profiles establish that directory connection.

Why A is Correct: Creating an LDAP server profile first lets PAN-OS query Active Directory for group membership used in Security policy.

Why B is Wrong: User-ID agent service account is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Authentication sequence is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Kerberos server profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: GlobalProtect pre-logon uses machine certificates before user sign-in, while user authentication can use separate profiles and cloud IdPs. Panorama provides consistent certificate distribution.

Why B is Correct: The correct design uses distinct certificate profiles, internal OCSP, Panorama-distributed CA trust, and Group Policy certificate deployment to support secure pre-logon and user-based connectivity.

Why A is Wrong: Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: In Layer 2 mode, Palo Alto Networks firewalls switch frames within a VLAN while still enforcing zone-based Security policy. Interfaces in the same VLAN can be in the same or different Layer 2 zones.

Why C is Correct: Assigning interfaces to the appropriate Layer 2 zones and adding policies where the source and destination are not in the same zone permits the intended Layer 2 traffic while preserving segmentation.

Why A is Wrong: Layer 2 interfaces do not require IP routing to communicate within the same VLAN. The missing control is zone assignment/policy, not Layer 3 routing.

Why B is Wrong: A policy within the VLAN helps only when the zone relationship requires it; the key is that interfaces in different Layer 2 zones need policy between those zones.

Why D is Wrong: Routing is not required for same-VLAN Layer 2 forwarding and would change the design from switching to routing.

Basic Concept: Policy-based third-party VPN gateways require matching traffic selectors. PAN-OS represents those selectors as Proxy IDs under the IPSec tunnel configuration.

Why A is Correct: Defining local and remote subnets in Proxy ID settings aligns PAN-OS with the Check Point encryption domain and resolves Phase 2 failures.

Why B is Wrong: Create individual Security policies for each pair of local and remote subnets. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: Assign a specific IP address to the tunnel interface to match the Check Point gateway. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: Enable Dead Peer Detection (DPD) in the IKE Gateway configuration. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Active/passive HA upgrades minimize downtime by upgrading one peer at a time and intentionally failing traffic to the peer that is ready to forward.

Why A is Correct: Suspending the active firewall forces failover, allowing the suspended/passive unit to be upgraded and validated before traffic is moved back and the second unit is upgraded.

Why B is Wrong: Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why C is Wrong: Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Why D is Wrong: Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic. is an HA-related setting or behavior, but it is not the specific HA link, LACP pre-negotiation option, or upgrade sequence required here.

Basic Concept: Azure zone resilience for VM-Series is normally achieved with multiple firewall instances across Availability Zones and Azure load balancing, not PAN-OS HA links across zones.

Why A is Correct: Deploying independent firewalls in different zones behind an Azure Load Balancer keeps traffic available if one zone fails.

Why B is Wrong: Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why C is Wrong: Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Why D is Wrong: Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection. is a cloud deployment or routing approach, but it does not match the required managed insertion model, resilience pattern, or Panorama-controlled policy design in this scenario.

Basic Concept: Panorama supports central configuration tasks without context switch. Operational actions that query live device state or configure local runtime views require firewall context.

Why C is Correct: Editing a post-rule, creating a certificate profile, and configuring hostname are Panorama-managed tasks available from the Panorama UI.

Why A is Wrong: Download and install a new content update. View current firewall session details. Initiate a device reboot. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why B is Wrong: Create a new zone. Configure a new virtual router. View the local ACC on the firewall. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: Modify the IP address of a Layer 3 interface. Configure a new local administrator account. Edit a pre-rule. is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: SSL Forward Proxy relies on clients trusting the firewall's forward trust CA. Without that trust, every substituted certificate appears untrusted to browsers.

Why D is Correct: The most likely cause is that the self-signed CA was not installed into client trusted root stores.

Why A is Wrong: The decryption policy is configured with a "no-decrypt" action, which causes browsers to reject the connection. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: The external websites are using TLS 1.3, which cannot be decrypted by the firewall without a specific license. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: The firewall's forward untrust certificate has expired, preventing it from identifying untrusted sites. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.