An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?

1. A. Panorama does not have valid licenses to push the dynamic updates.
2. B. Panorama has no connection to Palo Alto Networks update servers.
3. C. No service route is configured on the firewalls to Palo Alto Networks update servers.
4. D. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.

Correct Answer: D

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three)

1. A. SSH key
2. B. User logon
3. C. Short message service
4. D. One-Time Password
5. E. Push

Correct Answer: BDE
According to Palo Alto Networks documentation123, multi-factor authentication (MFA) is a method of verifying a user’s identity using two or more factors, such as something they know, something they have, or something they are.
The firewall supports MFA for administrative access, GlobalProtect VPN access, and Captive Portal access. The firewall can integrate with external MFA providers such as RSA SecurID, Duo Security, or Okta Verify.
The three firewall MFA factors that are supported by PAN-OS are:
User logon: This is something the user knows, such as a username and password.
One-Time Password: This is something the user has, such as a code generated by an app or sent by email or SMS.
Push: This is something the user is, such as a biometric verification or a device approval.

An engineer discovers the management interface is not routable to the User-ID agent What configuration is needed to allow the firewall to communicate to the User-ID agent?

1. A. Create a NAT policy for the User-ID agent server
2. B. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP
3. C. Create a custom service route for the UID Agent
4. D. Add a static route to the virtual router

Correct Answer: C
To allow the firewall to communicate with the User-ID agent, you need to configure a custom service route f the UID Agent23. A custom service route allows you to specify which interface and source IP address the firewall uses to connect to a specific destination service. By default, the firewall uses its management interface for services such as User-ID, but you can override this behavior by creating a custom service route.
To configure a custom service route for the UID Agent, you need to do the following steps:
Go to Device > Setup > Services and click Service Route Configuration.
In the Service column, select User-ID Agent from the drop-down list.
In the Interface column, select an interface that can reach the User-ID agent server from the drop-down list.
In the Source Address column, select an IP address that belongs to that interface from the drop-down list.
Click OK and Commit your changes.
The correct answer is C. Create a custom service route for UID Agent

The firewall identifies a popular application as an unKnown-tcp.
Which two options are available to identify the application? (Choose two.)

1. A. Create a custom application.
2. B. Submit an App-ID request to Palo Alto Networks.
3. C. Create a custom object for the application server.
4. D. Create a Security policy to identify the custom application.

Correct Answer: AB

A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practices to ensure consistent performance?

1. A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic
2. B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use lessprocessor-intensive decryption methods for tower-risk traffic
3. C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
4. D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers

Correct Answer: B