C. 1. Open the current log forwarding profile.
2. Add a new match list for threat log type.
3. Define the filter.
4. Select the syslog forward method.

Explanation:
To achieve the goal of forwarding only medium or higher severity threat logs to a new destination (syslog) while maintaining the existing forwarding to Panorama, the engineer should follow these steps:

1.Open the existing log forwarding profile.
The current profile is already configured to send all threat logs to Panorama. Since you want to keep this configuration, you should modify the existing profile rather than create a new one.
2.Add a new match list for the threat log type.
Log forwarding profiles use a series of "match lists" to define different forwarding rules based on log type and filters. You need to create a new match list specifically for the syslog forwarding.
3.Define the filter.
Within the new match list, you must specify a filter. The filter should be set to capture logs with a severity of "medium" or higher. The filter expression would look something like (severity geq medium).
4.Select the syslog forward method.
For this new match list, you should select the syslog server as the forwarding destination. The existing match list for Panorama will continue to function independently, forwarding all logs as configured.

C. Create a Device Group and Template Admin

Explanation:
The Device Group and Template Admin role is specifically designed for delegated administration in Panorama. It allows you to assign access to specific device groups and templates, which is exactly what’s needed when contractors are working in separate hierarchies and must manage policies and objects independently.

This role ensures compliance and separation of duties, as each contractor can only see and modify the device groups and templates assigned to them — no cross-access.

❌ Why the others are incorrect:
A. Dynamic Read only superuser:
This role provides read-only access across the system. It’s unsuitable for contractors who need to deploy policies and objects, which requires write permissions.

B. Dynamic Admin with the Panorama Administrator role:
This grants full access to Panorama, including all device groups and templates. It violates the principle of least privilege and compliance boundaries, as contractors would see and potentially modify areas outside their scope.

D. Custom Panorama Admin:
While flexible, it requires manual configuration of granular permissions. It’s more error-prone and less efficient than using the purpose-built Device Group and Template Admin role, which simplifies scoped access.

📚 References:
Palo Alto Networks TechDocs: Role-Based Access Control in Panorama

C. Command line> debug dataplane packet-diag clear filter all

Explanation:
When you apply a new packet capture filter, the firewall may still continue capturing traffic matching the old filter, because the previously configured filter is still cached in the dataplane.
To make sure only the new filter applies, you must clear the old filter configuration before starting a new capture.

The CLI command is:
> debug dataplane packet-diag clear filter all
This ensures that all previous filter conditions are removed, so the next packet capture will only use the newly configured filter.

❌ Why the other options are wrong:
A. debug dataplane packet-diag clear filter-marked-session all
This clears session-based debug filters, not the packet capture filter. Different purpose.
B. GUI under Monitor > Packet Capture > Manage Filters > Ingress Interface
Selecting an interface narrows the capture scope, but it does not clear the old filter, so stale matches may still show up.
D. GUI under Non-IP field, select "exclude"
This only filters out non-IP traffic, not the old filter set. Doesn’t solve the stale filter issue.

📖 Reference:
Palo Alto Networks TechDocs – Use Packet Capture:

C. Destination Domain
D. video streaming application

Explanation:
GlobalProtect split tunneling allows administrators to define which traffic is sent through the VPN tunnel (to be inspected by the firewall) and which traffic is sent directly to the internet. The three supported methods for creating these rules are:

1.B. URL Category:
Traffic destined for websites belonging to a specific URL category (e.g., "financial-services," "health-and-medicine," "not-resolved") can be either tunneled or excluded from the tunnel.
2.C. Destination Domain:
Traffic destined for a specific fully qualified domain name (FQDN) (e.g., sensitive-app.corp.com) can be matched and the tunnel action applied.
3.F. Client Application Process:
Traffic generated by a specific application process running on the endpoint (e.g., my_browser.exe, company_erp.exe) can be forced through the tunnel or allowed to go direct.

Why the Other Options Are Incorrect:
A. Destination user/group:
Split tunnel rules are based on network traffic characteristics (domain, IP, URL, application), not on the user identity. User/Group is used elsewhere in GlobalProtect for authentication and connection policies, but not for defining split tunnel traffic matches.
D. Video streaming application:
This is a specific use case, not a configurable matching criterion. While you could create a rule based on the URL category "streaming-media" or the application "netflix," "video streaming application" itself is not a selectable option in the split tunnel configuration.
E. Source Domain:
Split tunnel policies are concerned with the destination of the traffic (where it's going), not its source domain. The source is always the GlobalProtect client.

Reference:
Palo Alto Networks Administrator Guide | GlobalProtect | Gateway Configuration | Split Tunnel:
The official documentation lists the specific Include List and Exclude List criteria for split tunneling, which are: IP Address, Domain, URL Category, and Application. "Application" here refers to the Client Application Process.

C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
3. Place (NAT-Rule-2) above (NAT-Rule-1).

Explanation:
NAT rules on Palo Alto Networks firewalls are evaluated top-down, and the first matching rule is applied. To exclude a specific IP from NAT, you must create a more specific rule above the general rule.

step 1
This is the general rule for the entire subnet 10.0.0.0/23, translating it to a public IP.
Step 2 (NAT-Rule-2):
This rule matches only the server 10.0.0.10/32 and sets Source Translation to None, meaning no NAT is applied.
step 3
This ensures that traffic from 10.0.0.10 matches the more specific rule first and is excluded from NAT. The broader rule then handles the rest of the subnet.

Why the Other Options Are Incorrect:
A.: Placing the general rule (NAT-Rule-1) above the exception rule (NAT-Rule-2) would cause the server 10.0.0.10 to match the broader rule first and be translated, ignoring the exception.
B. & D.: The NAT rule configuration does not have a "negate" option for source addresses. Negation is available in security policies but not in NAT rules. This is not a valid method.

Reference:
PAN-OS NAT rule processing follows a top-down order, and exceptions must be placed above broader rules (PAN-OS Administrator’s Guide, "NAT Rule Evaluation" section). Setting Source Translation to None is the correct way to exclude an IP from NAT.

C. The client received a CA certificate that has expired or is not valid.

Explanation:

Key Evidence from the Log:
1.Certificate Details:
Issuer: Entrust Certification Authority - L1M
Root CA: Entrust Root Certification Authority - G2 (trusted).
Expiry Date: 2022/04/01 15:38:03 (log timestamp: 2022/03/03).
The certificate was still valid at the time of the session, but the log shows a deny action.
2.Error Context:
Action: deny (blocked by rule Social-Media-Override).
Application: ssl (TLS/SSL handshake failure).
3.Possible Causes:
Intermediate CA (L1M) expired/revoked: Though the root CA is trusted, the chain might be broken.
Certificate validation failure: The firewall or client rejected the intermediate CA.

Why Not Other Options?
ANo mention of fingerprint mismatch in the log.
BThe log confirms the expected CA (Entrust).
DEntrust is trusted (Root CA is listed as trusted).

Root Cause Analysis:
The intermediate CA (L1M) might have been:
Revoked (not shown in the log but plausible).
Expired post-log (though the log shows it was valid at the time).
The firewall’s decryption profile likely enforced strict validation, rejecting the chain.

Reference:
Palo Alto Decryption Troubleshooting:
"Denied SSL sessions often result from invalid intermediate CA certificates or revocation checks."

D. Disable ALG under SIP application

Explanation:

Why Disable SIP ALG?
1.The Problem:
The firewall is modifying SIP/H.323 payloads (e.g., NATing internal IPs/ports in VoIP packets).
This breaks VoIP signaling, as endpoints expect original headers for media negotiation.
2.The Cause:
SIP ALG (Application Layer Gateway) is enabled by default on NGFWs.
ALG inspects and rewrites SIP/H.323 packets, often misinterpreting VoIP traffic.
3.The Fix:
Disabling SIP ALG stops the firewall from:
Altering SIP packet payloads.
Opening incorrect dynamic pinholes for RTP/RTCP media streams.

Steps to Disable SIP ALG:
Navigate to: Device > Setup > Session
Under Application Identification, uncheck:
SIP (and optionally H.323 if used).

Why Not Other Options?
A.H.323 ALG is unrelated if SIP is the primary VoIP protocol.
B/C.Timeout adjustments don’t fix NAT-induced payload corruption.

Additional VoIP Best Practices:
Use dedicated SIP security profiles (e.g., allow only SIP/RTP/RTCP).
Ensure NAT policies exclude VoIP traffic (or use static NAT).

Reference:
Palo Alto VoIP Troubleshooting Guide:
"Disable SIP ALG when endpoints handle NAT traversal independently (e.g., via STUN/ICE)."