An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.
What could an administrator do to troubleshoot the issue?

1. A. Goto Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup
2. B. Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings
3. C. Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings
4. D. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

Correct Answer: B
If the HA status is showing as down after enabling HA Heartbeat Backup on two devices, an administrator could troubleshoot the issue by checking the peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 7: High Availability, under the section "Configure Heartbeat Backup for Redundancy":
"Verify that the management interface's permitted IP addresses on each peer includes the IP address of the other peer's Heartbeat Backup interface."

Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

A)

B)

C)

D)

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D

Correct Answer: C

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

1. A. Phase 2 SAs are synchronized over HA2 links
2. B. Phase 1 and Phase 2 SAs are synchronized over HA2 links
3. C. Phase 1 SAs are synchronized over HA1 links
4. D. Phase 1 and Phase 2 SAs are synchronized over HA3 links

Correct Answer: A
From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all
IPSEC related information is synchronized between the firewalls... This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."
And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

1. A. a Security policy with 'known-user" selected in the Source User field
2. B. an Authentication policy with 'unknown' selected in the Source User field
3. C. a Security policy with 'unknown' selected in the Source User field
4. D. an Authentication policy with 'known-user' selected in the Source User field

Correct Answer: C

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

1. A. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
2. B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
3. C. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
4. D. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Correct Answer: B