B. High
C. Critical
E. Medium

Explanation:
Palo Alto Networks publishes Threat Prevention Best Practices that define recommended settings for Security Profiles (Vulnerability, Anti-Spyware, AV, URL, etc.).

For Anti-Spyware Profiles, best practices include:
Enable single-packet capture for severities Medium, High, and Critical
→ This allows administrators to analyze malicious sessions more effectively without capturing unnecessary benign traffic.
Do NOT enable packet capture for Low or Informational severities
→ These typically represent lower-risk or informational events that would unnecessarily consume disk space and processing.
🔹 So, Medium + High + Critical = the three severity levels where single-packet capture should be enabled.

Why not the others?
A. Low ❌ → Too much noise, not best practice.
D. Informational ❌ → Only logs metadata, doesn’t require packet capture.

Reference:
Palo Alto Networks TechDocs: Anti-Spyware Profile Best Practices
Best Practice Guidance: Enable Single-Packet Capture for medium, high, and critical severities.

A. DoS Protection profile

Explanation:
To mitigate packet floods targeting RSF servers behind an internet-facing interface, the correct security profile to apply is the DoS Protection profile. This profile is specifically designed to detect and prevent Denial of Service (DoS) attacks, including:

Flood Protection:
Detects excessive SYN, UDP, and ICMP packets that can overwhelm server resources.
Resource Protection:
Prevents session exhaustion by limiting the number of concurrent sessions per source or destination.

The DoS Protection profile allows you to:
Set thresholds for connection rates (CPS)
Define actions (e.g., alert, drop, block IP)
Apply protection based on zones, interfaces, or IPs This profile is applied via a DoS Protection policy, not a standard Security policy, and is ideal for defending exposed services from volumetric attacks.

📌 Reference:
Palo Alto Networks TechDocs – DoS Protection Profile
Exam4Training – Packet Flood Mitigation Profile

❌ Why Other Options Are Incorrect:
B. Data Filtering profile Used to detect sensitive data patterns (e.g., credit card numbers), not volum
etric packet floods.
C. Vulnerability Protection profile Targets known exploits and protocol violations—not volumetric DoS attacks.
D. URL Filtering profile Controls web access based on categories and URLs; irrelevant for packet-level flood mitigation.

D. Management Only

Explanation:

Recall Panorama Deployment Modes
1.Panorama Mode
Full management + log collection.
Logs stored locally (Panorama / Dedicated Log Collectors).
2.Log Collector Mode
Panorama works only as a log collector.
Stores logs locally.
3.Legacy Mode
Pre–PAN-OS 8.0, combined mgmt + logging.
Deprecated.
4.Management Only Mode
Panorama manages devices (device-groups, templates, policies).
Does not store logs locally.
All logs can be forwarded to Cortex Data Lake (CDL).
✔ Exactly what the question requires.

Evaluate the options
A. Log Collector → Stores logs locally → ❌
B. Panorama → Stores logs locally → ❌
C. Legacy → Deprecated, still stores locally → ❌
D. Management Only → Sends logs only to Cortex Data Lake → ✅

Official Reference
Palo Alto Networks – Panorama Deployment Modes
“Use Management Only mode if you want Panorama to manage firewalls while all logs are forwarded to Cortex Data Lake, with no local log storage.”

A. Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

Explanation:
When configuring decryption policies on Palo Alto Networks firewalls, one of the most critical best practices is to ensure compliance with local laws, regulations, and organizational policies. SSL/TLS decryption can expose sensitive data, and decrypting certain types of traffic (e.g., banking, healthcare, or government services) may violate privacy laws or contractual obligations.

1.According to Palo Alto Networks' official Decryption Best Practices:
“Decrypt as much traffic as local regulations and business requirements allow so you can inspect the traffic and block threats.”

2.This means administrators must:
Understand what traffic is legally allowed to be decrypted
Create decryption exclusion rules for sensitive categories (e.g., financial, medical)
Document and justify all decryption decisions

❌ Why Other Options Are Incorrect:
B. Decrypt all traffic that traverses the firewall This is not realistic or compliant. Some traffic must be excluded due to privacy or legal constraints.
C. Place firewalls where administrators can opt to bypass the firewall when needed This undermines security and violates best practices. Firewalls should enforce policy, not be bypassed ad hoc.
D. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications Decryption profiles are essential for enforcing certificate validation, cipher control, and session security. Skipping them weakens protection.

D. show s/stem state filter-pretty sys.sl*

Explanation:
This specific CLI command is designed to display detailed, raw diagnostic information about the physical hardware components, including transceivers (SFPs). It is the most comprehensive tool for troubleshooting physical layer issues.

Command: show system state filter-pretty sys.sl*
Output: This command will return a large output. You must then search within it for the specific interface (e.g., ethernet1/1). The output for the transceiver will include all the required details:
Transceiver Type: (e.g., SFP, SFP+, SFP28)
Vendor Name & Part Number: The manufacturer and model number of the transceiver.
Tx-Power: The transmitted optical power level (in dBm).
Rx-Power: The received optical power level (in dBm). This is critical for diagnosing fiber issues.

Why the Other Options Are Incorrect:
A. show chassis status slot s1:
This command provides a high-level overview of hardware components (like fans, power supplies, and slots) but does not provide the detailed, low-level diagnostic information about a specific transceiver's power levels and vendor details.
B. show system state filter ethernet1/1:
This is an incomplete command. The correct syntax requires a specific filter (like sys.sl*) to target the relevant subsystem that manages physical interfaces and transceivers.
C. show system state filter sw.dev interface config:
This command would show the software configuration of the interface (e.g., speed, duplex) but not the physical diagnostic data from the transceiver itself (e.g., power levels, vendor info).

Reference:
Palo Alto Networks Knowledge Base Articles & CLI Guide:
The show system state filter-pretty sys.sl* command is the well-documented method for obtaining detailed transceiver diagnostics. This is a standard troubleshooting step for physical link issues, especially when using third-party optics, to verify compatibility and signal integrity.

C. 1. Open the current log forwarding profile.
2. Add a new match list for threat log type.
3. Define the filter.
4. Select the syslog forward method.

Explanation:
To achieve the goal of forwarding only medium or higher severity threat logs to a new destination (syslog) while maintaining the existing forwarding to Panorama, the engineer should follow these steps:

1.Open the existing log forwarding profile.
The current profile is already configured to send all threat logs to Panorama. Since you want to keep this configuration, you should modify the existing profile rather than create a new one.
2.Add a new match list for the threat log type.
Log forwarding profiles use a series of "match lists" to define different forwarding rules based on log type and filters. You need to create a new match list specifically for the syslog forwarding.
3.Define the filter.
Within the new match list, you must specify a filter. The filter should be set to capture logs with a severity of "medium" or higher. The filter expression would look something like (severity geq medium).
4.Select the syslog forward method.
For this new match list, you should select the syslog server as the forwarding destination. The existing match list for Panorama will continue to function independently, forwarding all logs as configured.

C. Ping interval of 200 ms and ping count of 10 failed pings

Explanation:
In Palo Alto Networks High Availability (HA) configuration, path monitoring is used to detect link or path failures by sending periodic pings to a monitored IP address. If the pings fail consistently, a failover is triggered.

The default values for path monitoring are:
Ping Interval: 200 milliseconds
Ping Count: 10 consecutive failed pings
This means the firewall will wait for 10 failed pings, each spaced 200 ms apart, before initiating a failover.
📚 Reference:
Palo Alto Networks – Configure HA Path Monitoring

❌ Why Other Options Are Wrong:
A. Incorrect ping count (only 3)
B. & D. Incorrect ping interval (5000 ms is not default)