B. SSL decryption exclusion
D. Login banner
E. Dynamic updates

Explanation:
Templates in Panorama are used to configure Network and Device tab settings on managed firewalls. When creating a standardized template like “Global,” you’re defining base system-level configurations that apply across all devices in the stack. The following three settings are valid and supported within a Panorama template:

SSL Decryption Exclusion:
Configured under Device > Certificate Management > SSL Decryption Exclusion. This allows you to exclude specific sites or categories from SSL decryption globally. ✅ Valid template setting
Login Banner:
Set under Device > Setup > Management > General Settings. The login banner is a system-level message shown during CLI or GUI login and is managed via templates. ✅ Valid template setting
Dynamic Updates:
Managed under Device > Dynamic Updates. You can configure update schedules and sources for Antivirus, Threat, WildFire, and App-ID databases. ✅ Valid template setting
These are documented in Palo Alto’s Templates and Template Stacks guide.

❌ Why the other options are incorrect
A. Log Forwarding profile:
Log Forwarding profiles are configured under Objects > Log Forwarding, which is part of Device Groups, not Templates. Templates cannot manage policy-based objects like log forwarding.

C. Email Scheduler:
Email scheduler settings (used for reports and alerts) are part of Monitor > Reports and are managed via Device Groups or local firewall config—not via Templates.

Explanation:

1.management plane:
This plane handles administrative tasks such as configuration, logging, and reporting. It is supported by a separate processor, RAM, and hard drive to ensure these tasks do not interfere with real-time traffic processing.
2.signature matching:
This involves identifying threats using stream-based, uniform signature matching techniques. It targets exploits (via Intrusion Prevention System - IPS), viruses, spyware, command-and-control (C2) traffic, and stolen sensitive data (SSN).
3.security processing:
This plane performs advanced security functions using high-density parallel processing, enabling flexible and standardized handling of complex security tasks across multiple cores or processors.
4.network processing:
This focuses on network-related tasks, leveraging hardware-accelerated processing for per-packet route lookups, MAC address lookups, and Network Address Translation (NAT) to optimize performance.
These mappings align with the Palo Alto Networks firewall architecture, where different planes are dedicated to specific functions, supported by specialized hardware or processing capabilities. This design ensures efficient handling of management, security, and network tasks.

References:
Palo Alto Networks Documentation:
Firewall Architecture Overview
Palo Alto Networks Technical Whitepapers:
Single-Pass Parallel Processing Architecture

D. Adjust the TCP maximum segment size (MSS) value.

Explanation:
The issue arises because the upstream router’s MTU is set to 1400 bytes, while the firewall interface (ethernet1/1) likely defaults to an MTU of 1500 bytes. This mismatch causes packet fragmentation or drops, especially when the Don't Fragment (DF) bit is set in IP headers—common in TCP traffic.
To resolve this without changing the upstream router or firewall MTU, the best solution is to:

✅ Adjust the TCP MSS value
MSS (Maximum Segment Size) defines the largest TCP payload that can be sent without fragmentation.
By lowering the MSS to account for the upstream MTU (e.g., set MSS to 1360 or lower), you ensure that TCP packets stay within the 1400-byte limit.
This avoids fragmentation and ensures reliable delivery of return traffic from web servers.

❌ Why Other Options Are Incorrect:
A. Lower the interface MTU value below 1500 This could help, but it affects all traffic and may not be necessary if MSS adjustment solves the issue more cleanly.
B. Enable the Ignore IPv4 Don't Fragment (DF) setting This allows fragmented packets through but doesn’t prevent fragmentation or packet drops upstream.
C. Change the subnet mask from /23 to /24 Irrelevant to MTU or packet fragmentation. This affects routing, not packet size.

🔗 Authoritative References:
Pass4Success PCNSE Question Discussion
Palo Alto Networks KB: When to Use Adjust MSS

B. Tentative

Explanation:
In an active/active HA configuration, firewalls monitor specific interfaces or paths (e.g., data links) beyond just the HA control link. When a firewall detects a failure in one of these monitored paths (e.g., a critical data interface goes down), it enters the Tentative state.

Tentative State:
This is a transitional state where the firewall suspects a problem but has not yet taken action (like triggering a failover). It continues to communicate with its peer to determine the severity of the issue. If the path failure is confirmed, the firewall may then change state (e.g., to non-functional) and potentially trigger a failover if it affects its ability to process traffic.

Why the Other Options Are Incorrect:
A. Initial:
This is the state when the firewall is booting up and initializing HA, before it establishes communication with its peer.
C. Passive:
This state is used in active/passive HA, where the firewall is fully functional but does not process traffic unless the active peer fails. It is not a state for path monitoring failures.
D. Active-secondary:
This is a healthy state in active/active HA where the firewall is processing traffic for its assigned context (e.g., a specific vsys). It does not indicate a failure.

Reference:
PAN-OS HA documentation defines the Tentative state as the state a member enters when it detects a monitored interface or path failure but is still operational and communicating with its peer (PAN-OS Administrator’s Guide, "High Availability States" section). This allows for graceful handling of partial failures without immediate, disruptive failovers.

B. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

Explanation:
When you configure Authentication Sequences on a Palo Alto firewall:
You first create individual Authentication Profiles (e.g., Kerberos, LDAP, TACACS+).
Then you create an Authentication Sequence, which lists those profiles in a top-to-bottom order.

During authentication:
The firewall checks the first profile in the list.
If it fails (e.g., user not found or authentication denied), it moves to the next profile in the sequence.
The process continues until one profile succeeds, or all fail.
📘 Reference:
Palo Alto Networks – Configure Authentication Sequences

❌ Why not the other options?
A. Alphabetical order
→ Incorrect. The order is explicitly defined by the admin in the Authentication Sequence, not by profile name.
C. Priority assigned
→ Incorrect. There is no numeric priority setting; the list order defines priority.
D. No further attempts if first times out
→ Incorrect. If the first method times out or fails, the firewall continues to the next profile in the sequence.

B. Monitor profile
C. IPsec tunnel

Explanation:
In PAN-OS, a template is used to configure device-specific settings such as interfaces, zones, routing, and system-level objects. Among the options listed, the following two are valid objects that can be configured within a template:

✅ B. Monitor profile
Monitor profiles are used for link monitoring, tunnel monitoring, and other health checks.
These are configured under Network > Network Profiles > Monitor in the template.
They are essential for high availability and VPN reliability.
✅ C. IPsec tunnel
IPsec tunnels are configured under Network > IPSec Tunnels in the template.
Templates allow centralized configuration of tunnel interfaces, crypto profiles, and peer settings.
This is a core use case for Panorama templates.

❌ Why A and D Are Incorrect:
A. SD-WAN path quality profile SD-WAN profiles are configured in SD-WAN templates, which are separate from standard Panorama templates. They require SD-WAN licensing and are managed differently.
D. Application group Application groups are part of security policy objects, which are managed in device groups, not templates.

🔗 Authoritative Reference:
Palo Alto Networks TechDocs: Templates Overview
PCNSE Practice Guide

C. Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus

Explanation:
Enabling real-time WildFire signature lookup allows Palo Alto Networks firewalls to query the WildFire cloud for the latest verdicts on unknown files before allowing them through. However, this lookup happens in parallel with traffic flow—meaning the file may be delivered before the verdict is returned, potentially allowing malware through.
To further reduce the likelihood of newly discovered malware being allowed:

✅ Enable "Hold Mode" in Antivirus Profiles
This feature pauses file delivery until the WildFire cloud returns a verdict.
If the verdict is malicious, the firewall can block the file before it reaches the user.
This prevents patient zero scenarios where malware is delivered before detection.
You can configure this under:
Objects > Security Profiles > Antivirus

And globally under:
Device > Setup > Content-ID > Real-Time Signature Lookup > Enable Hold Mode

❌ Why Other Options Are Incorrect:
A. Increase the frequency of applications and threats dynamic updates This helps with known threats, but not zero-day malware. Real-time lookup is already faster.
B. Increase the frequency of antivirus dynamic updates Antivirus updates are periodic and reactive. They don’t help with real-time detection.
D. Enable "Report Grayware Files" This improves visibility but doesn’t block malware. It’s a reporting feature, not a prevention mechanism.

🔗 Authoritative Reference:
Palo Alto Networks TechDocs: Hold Mode for WildFire Real-Time Signature Lookup