A. PA-220
B. PA-800 Series
E. PA-3400 Series

Explanation:

Analysis:
PAN-OS 10.2 Support: The compatibility of firewall platforms with a specific PAN-OS version depends on Palo Alto Networks’ hardware and software end-of-life (EOL) policies. PAN-OS 10.2 was released around March 2022, and its support status as of August 2025 would be based on the standard 5-year support period from the initial release date, unless extended or superseded by newer versions (e.g., PAN-OS 11.x).
Upgrade via Panorama: Panorama can push software updates to managed firewalls, but the target platform must be listed as supported for the specified version in the official compatibility matrix or EOL announcements.
Relevant Platforms: The options provided are PA-220, PA-800 Series, PA-5000 Series, PA-500, and PA-3400 Series. We need to identify which three of these are supported for PAN-OS 10.2.

Evaluation of Options:
A. PA-220:
Status: The PA-220 was supported for PAN-OS 10.2 at its release, but an End-of-Sale (EOS) announcement was made on August 1, 2022, with the last supported OS listed as 10.2.x. As of August 2025, support may have ended or be nearing its end (typically 5 years from EOS or first release), but during the active support period, it was compatible. Given the question’s focus on an upgrade to 10.2, it is considered supported if the upgrade occurs within the support window. Likelihood: Supported, assuming the upgrade is within the support timeline.
B. PA-800 Series:
Status: The PA-800 Series (e.g., PA-820, PA-850) is listed as supporting PAN-OS 10.2 in the compatibility matrix. These platforms are mid-range firewalls designed for branch offices and have ongoing support for 10.2 as of its release date, with no EOL indicated by August 2025 for this version.
Likelihood: Supported.
C. PA-5000 Series:
Status: The PA-5000 Series (e.g., PA-5050, PA-5060) supported PAN-OS 10.2 at its release. However, this series is older, with an EOS announced around 2018, and the last supported OS was likely PAN-OS 9.1 or 10.0, depending on hardware EOL dates. By 2025, support for 10.2 on this series is unlikely unless extended, but during the 10.2 release period, it was compatible. Likelihood: Marginally supported, but likely phased out by 2025; however, it was supported at 10.2’s release.
D. PA-500:
Status: The PA-500 is an older platform with an EOS announced on October 31, 2018, and the last supported OS was PAN-OS 8.1. PAN-OS 10.2 is not supported on this hardware due to its age and limited capabilities, as confirmed by EOL documentation. Likelihood: Not supported.
E. PA-3400 Series:
Status: The PA-3400 Series (e.g., PA-3410, PA-3440) was introduced around 2022 and is designed to support newer PAN-OS versions, including 10.2. This series is explicitly listed as compatible with PAN-OS 10.2 in the release notes and datasheets from that period, with ongoing support as of 2025.
Likelihood: Supported.
Selection of Three Platforms:
Based on the compatibility matrix and EOL data up to August 2025, the platforms that support PAN-OS 10.2 include PA-220, PA-800 Series, and PA-3400 Series. The PA-5000 Series may have been supported at 10.2’s release but is likely past its support window by 2025, and the PA-500 is definitively unsupported. Since the question focuses on an upgrade to 10.2 via Panorama, we assume the intent is to identify platforms supported at the time of 10.2’s availability, adjusted for current context.
Final Three: A. PA-220, B. PA-800 Series, and E. PA-3400 Series are the most consistent choices, reflecting a mix of supported platforms from the release period onward.
Conclusion:
The three platforms that support PAN-OS 10.2 for an upgrade via Panorama are PA-220, PA-800 Series, and PA-3400 Series. This selection aligns with the compatibility data and the question’s focus on an upgrade scenario.

References:
Palo Alto Networks Documentation: PAN-OS 10.2 Compatibility Matrix
Palo Alto Networks Documentation: Hardware End-of-Life Dates
ExamTopics PCNSE Discussion: PAN-OS Version Support

A. Financial, health, and government traffic categories
C. Known malicious IP space
E. Less-trusted internal IP subnets

Explanation:
When firewall sizing limits the ability to decrypt all traffic, Palo Alto Networks recommends a staged and prioritized decryption rollout. The goal is to maximize security impact while minimizing resource consumption. The following traffic types should be prioritized:

A. Financial, health, and government traffic categories
✔️ These categories are high-value targets for data exfiltration and fraud. Decrypting them helps detect:
Malware hidden in encrypted sessions
Unauthorized data transfers
Compliance violations

C. Known malicious IP space
✔️ Decrypting traffic to/from known bad IPs allows:
Full inspection of payloads
Detection of command-and-control (C2) activity
Prevention of encrypted malware delivery

E. Less-trusted internal IP subnets
✔️ Internal segments that are not fully trusted (e.g., guest networks, unmanaged devices) should be decrypted to:
Detect lateral movement
Prevent insider threats
Enforce granular security policies

❌ Incorrect Options:
B. Known traffic categories
✖️ These are typically low-risk or well-understood applications (e.g., Microsoft updates, Zoom) and may not need decryption.

D. Public-facing servers
✖️ These are typically handled via SSL Inbound Inspection, not Forward Proxy, and are not bulk user traffic.

Authoritative Source:
Palo Alto Networks – Size the Decryption Firewall Deployment

C. Add the template as a reference template in the device group

Explanation:
In Panorama, when creating policies for a device group and template stack, the zone dropdown list will only show zones that are defined in the template and associated with a firewall. If no firewall is added to both the device group and the template, Panorama cannot correlate the zone definitions with a real device, and the dropdown will appear incomplete.

To fix this:
Ensure that the firewall is added to both:
The device group (for policy management)
The template (for interface and zone definitions)
This allows Panorama to correctly populate zone objects in the policy editor.

❌ Why Other Options Are Incorrect:
A. Specify the target device as the master device in the device group This is used for reference configuration comparison, not for zone population.
B. Enable "Share Unused Address and Service Objects with Devices" This affects object sharing, not zone visibility.
C. Add the template as a reference template in the device group Reference templates are used for inheritance, not for linking zones to policies.

🔗 Reference:
Exam4Training PCNSE Question
Palo Alto Networks KB: New Zone Not Visible in Panorama

A. By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

Explanation:
To confirm that WildFire has identified a virus, the administrator must check the WildFire Submissions log. This log specifically tracks files submitted to WildFire and their verdicts.
The filter (subtype eq wildfire-virus) targets entries where WildFire has classified a file as malware (virus).
Threat logs (options B and D) show broader threat activity but do not confirm WildFire verdicts.
Traffic logs (option C) do not contain WildFire verdicts at all.

📘 Reference:
WildFire Log Review – Palo Alto Networks
PCNSE WildFire Log Filter Guide

C. HTTPS

Explanation:
GlobalProtect Clientless VPN is designed to allow users to securely access internal web applications without installing the GlobalProtect agent. It works by proxying traffic through the firewall using a browser-based interface.

The protocol it natively supports is:
HTTPS — because Clientless VPN is web-based and only proxies web applications that use secure HTTP.
📚 Reference:
Palo Alto Networks – Configure Clientless VPN

❌ Why Other Options Are Wrong:
A. HTP:
Typo — not a valid protocol.
B. SSH:
Not supported natively via Clientless VPN.
D. RDP:
Requires the full GlobalProtect agent or other remote access tools — not supported via Clientless VPN.

D. Values in Chicago

Explanation:
In Panorama, when multiple templates are combined into a template stack, the firewall inherits configuration values based on template priority. The template at the top of the stack has the highest precedence, and its values override those in lower-priority templates if the same object (e.g., SSL/TLS Service profile named "Management") is defined in multiple templates.

According to the retrieved reference:
"The firewall will inherit the settings from the highest priority template that has the setting configured, and ignore the settings from the lower priority templates that have the same setting configured."
So, if all four templates in the stack (Global Settings, Datacenter, efwOlab.chi, and Chicago) define an SSL/TLS Service profile named Management, the firewall will use the version from the Chicago template—assuming it is highest in the stack.

🔗 Authoritative Reference:
Palo Alto Networks TechDocs: Templates and Template Stacks
Cramkey PCNSE Lab Discussion: SSL/TLS Profile Inheritance

C. Command line> debug dataplane packet-diag clear filter all

Explanation:
When you apply a new packet capture filter, the firewall may still continue capturing traffic matching the old filter, because the previously configured filter is still cached in the dataplane.
To make sure only the new filter applies, you must clear the old filter configuration before starting a new capture.

The CLI command is:
> debug dataplane packet-diag clear filter all
This ensures that all previous filter conditions are removed, so the next packet capture will only use the newly configured filter.

❌ Why the other options are wrong:
A. debug dataplane packet-diag clear filter-marked-session all
This clears session-based debug filters, not the packet capture filter. Different purpose.
B. GUI under Monitor > Packet Capture > Manage Filters > Ingress Interface
Selecting an interface narrows the capture scope, but it does not clear the old filter, so stale matches may still show up.
D. GUI under Non-IP field, select "exclude"
This only filters out non-IP traffic, not the old filter set. Doesn’t solve the stale filter issue.

📖 Reference:
Palo Alto Networks TechDocs – Use Packet Capture: