A security engineer needs firewall management access on a trusted interface.
Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

1. A. Minimum TLS version
2. B. Certificate
3. C. Encryption Algorithm
4. D. Maximum TLS version
5. E. Authentication Algorithm

Correct Answer: ABD
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app? Failed to connect to server at port:47 67

1. A. The PanGPS process failed to connect to the PanGPA process on port 4767
2. B. The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
3. C. The PanGPA process failed to connect to the PanGPS process on port 4767
4. D. The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Correct Answer: C
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD

Which log type would provide information about traffic blocked by a Zone Protection profile?

1. A. Data Filtering
2. B. IP-Tag
3. C. Traffic
4. D. Threat

Correct Answer: D
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC
D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile. This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1. These attacks are classified as threats by the firewall and are logged in the threat log2. The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.
Verified References:
1: Zone protection profiles - Palo Alto Networks Knowledge Base
2: Threat Log Fields - Palo Alto Networks

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

1. A. Add the policy to the target device group and apply a master device to the device group.
2. B. Reference the targeted device's templates in the target device group.
3. C. Clone the security policy and add it to the other device groups.
4. D. Add the policy in the shared device group as a pre-rule

Correct Answer: D
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/man https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-conf

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

1. A. A Deny policy for the tagged traffic
2. B. An Allow policy for the initial traffic
3. C. A Decryption policy to decrypt the traffic and see the tag
4. D. A Deny policy with the "tag" App-ID to block the tagged traffic

Correct Answer: AB
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to
configure at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent (in this case, questionable-activity). To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-dynamic-user-groups-in-policy