C. Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus

Explanation:
Enabling real-time WildFire signature lookup allows Palo Alto Networks firewalls to query the WildFire cloud for the latest verdicts on unknown files before allowing them through. However, this lookup happens in parallel with traffic flow—meaning the file may be delivered before the verdict is returned, potentially allowing malware through.
To further reduce the likelihood of newly discovered malware being allowed:

✅ Enable "Hold Mode" in Antivirus Profiles
This feature pauses file delivery until the WildFire cloud returns a verdict.
If the verdict is malicious, the firewall can block the file before it reaches the user.
This prevents patient zero scenarios where malware is delivered before detection.
You can configure this under:
Objects > Security Profiles > Antivirus

And globally under:
Device > Setup > Content-ID > Real-Time Signature Lookup > Enable Hold Mode

❌ Why Other Options Are Incorrect:
A. Increase the frequency of applications and threats dynamic updates This helps with known threats, but not zero-day malware. Real-time lookup is already faster.
B. Increase the frequency of antivirus dynamic updates Antivirus updates are periodic and reactive. They don’t help with real-time detection.
D. Enable "Report Grayware Files" This improves visibility but doesn’t block malware. It’s a reporting feature, not a prevention mechanism.

🔗 Authoritative Reference:
Palo Alto Networks TechDocs: Hold Mode for WildFire Real-Time Signature Lookup

B. A self-signed certificate generated on the firewall

Explanation:
When you configure SSL Forward Proxy on a Palo Alto firewall, two certificates are needed:
Forward Trust Certificate
Used when the firewall proxies trusted server certificates.
The firewall re-signs the original trusted site’s certificate with this certificate so the client accepts it.
Typically issued by the organization’s internal PKI or a trusted subordinate CA.
Forward Untrust Certificate
Used when the firewall intercepts traffic to a site with an untrusted or invalid certificate.
The firewall deliberately presents an untrusted cert to the user so their browser displays a warning (e.g., expired, self-signed, revoked).
This certificate must not chain to a trusted root — otherwise the user would not see the warning.
Best practice is to use a self-signed certificate generated on the firewall.

❌ Why the Other Options Are Wrong
A. A web server certificate signed by the organization’s PKI
→ Wrong. If signed by a trusted PKI, the browser will trust it and not show a warning. That defeats the purpose.
C. A subordinate Certificate Authority certificate signed by the organization’s PKI
→ Wrong. Again, chaining to a trusted PKI means the browser will trust the certificate, hiding untrusted certificate issues.
D. A web server certificate signed by an external Certificate Authority
→ Wrong. Same reason — it would be trusted by default, preventing the user from being warned.
Only B ensures users get the intended untrusted certificate warning.

📘 Reference
From Palo Alto Networks Documentation:
“For the Forward Untrust certificate, use a self-signed CA certificate generated on the firewall. This ensures that the client receives an untrusted certificate warning when the original server certificate is untrusted.”

B. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

Explanation:

Key Observations from the Screenshot:
1.Administrative Management Services:
Enabled Services: HTTP, HTTPS, Telnet, SSH (explicitly listed).
Disabled Services: No mention of SNMP (though it appears under Network Services, it is not enabled for management access).
2.Permitted IP Addresses:
Only $permitted-subnet-2 is configured under PERMITTED IP ADDRESSES.
$permitted-subnet-1 is not listed, so it is not allowed.
3.Network Services:
Ping is enabled (under Network Services), but SNMP and others are separate from management access controls.

Why Not Other Options?
AIncorrectly includes $permitted-subnet-1, which is not configured.
CIncorrectly includes SNMP (not enabled for management) and $permitted-subnet-1.
DIncorrectly includes $permitted-subnet-1, which is absent.

Access Summary:
Allowed Protocols: HTTP, Telnet, HTTPS, SSH, Ping.
Permitted Source IPs: Only $permitted-subnet-2.

Reference:
Palo Alto Management Interface Documentation:
"Permitted IP addresses restrict management access to explicitly defined subnets."

A. Custom app
B. Security policy rule
C. Application override policy rule

Explanation:
To implement Application Override in PAN-OS, you must configure the following three components:

A. Custom App
You need to define a custom application under Objects > Applications. This allows the firewall to classify traffic based on port and protocol rather than App-ID. The override policy will use this custom app to tag the traffic.
B. Security Policy Rule
Even after overriding App-ID, you still need a security policy to permit or deny the traffic. The custom app created must be referenced in a security rule to enforce access control.
C. Application Override Policy Rule
This is the core of the override mechanism. Configured under Policies > Application Override, it matches traffic based on source/destination zone, IP, port, and protocol, and assigns the custom app to that traffic—bypassing App-ID inspection.
These three elements work together to reclassify traffic and enforce policy based on your override logic.

❌ Why the other options are incorrect
D. Decryption policy rule
Not required for application override. Decryption is relevant only if you're inspecting encrypted traffic, but it’s not a prerequisite for overriding application identification.
E. Application filter
Application filters are used to group apps by category, risk, or technology for policy convenience. They’re not involved in application override, which uses a custom app, not a filter.

Reference
You can find the official guidance on Application Override Policy configuration and a summarized exam-focused breakdown on PUPUWEB’s PCNSE prep guide

A. Click the hyperlink for the Zero Access.Gen threat

Explanation:
When using the Application Command Center (ACC) to investigate Blocked User Activity and identify users potentially compromised by a botnet, the most effective method is to click the hyperlink for the Zero Access.Gen threat. This action sets a global filter that narrows down all related traffic, users, and sessions associated with that specific threat.
In the screenshot, ZeroAccess.Gen Command and Control Traffic is listed as a critical spyware threat with a botnet category and a high count. Clicking its hyperlink allows the administrator to:
Apply a global filter across the ACC
View all sessions, users, and source IPs tied to this threat
Drill down into logs and threat details for forensic analysis
This is the fastest and most precise way to isolate compromised users and take remediation steps.

❌ Why Other Options Are Incorrect:
B.Click the left arrow beside the Zero Access.Gen threat This expands the row for more details but does not apply a global filter. It’s useful for viewing metadata but not for narrowing down user activity.

C. Click the source user with the highest threat count This shows user-specific data but does not isolate the botnet threat. It’s reactive and less targeted than filtering by threat.

🔗 Valid References:
Palo Alto Networks Knowledge Base: Tips & Tricks: How to Use the Application Command Center (ACC)
Exam4Training PCNSE Practice: Best Method to Set Global Filter in ACC

D. Add only the Evernote application to the Security policy rule.

Explanation:

Palo Alto Networks firewalls use App-ID, a patented technology that identifies applications regardless of the port, protocol, or encryption used. App-ID works by using multiple classification techniques, including application signatures, protocol decoding, and heuristics, to accurately identify the application running on the network.
When you add the Evernote application to a security policy, the firewall's App-ID engine takes care of identifying and allowing all the necessary components for that application to function correctly, including its implicit use of SSL and web browsing.

App-ID Dependency:
The firewall understands the dependencies of applications. For example, it knows that Evernote traffic includes both the core Evernote application traffic and the underlying SSL and web-browsing protocols that it uses to communicate.
Default Behavior:
By default, when you select a higher-level application like evernote, the firewall implicitly allows the dependent applications like ssl and web-browsing. You don't need to manually add them to the rule. Doing so would be redundant and could potentially open up your network to unwanted traffic from other applications that also use SSL and web-browsing.
Therefore, the minimum and most secure configuration is to add only the Evernote application to the security policy rule. The firewall's App-ID will handle the rest.

The other options are incorrect:
A & C: Adding separate rules or including http and ssl in the same rule would be redundant and less secure. It would allow any traffic using HTTP/SSL to pass through, not just Evernote.
B: Application Override is used to bypass App-ID's default behavior, typically for custom or non-standard applications. It's not the correct approach here, as the firewall already has a signature for Evernote.

References:
App-ID Overview, Create a Security Policy Rule

D. Log settings

Explanation:
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule. The tags can then be used for dynamic address groups, policy enforcement, or reporting1.
References:
Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)