C. Destination Domain
D. video streaming application

Explanation:
GlobalProtect split tunneling allows administrators to define which traffic is sent through the VPN tunnel (to be inspected by the firewall) and which traffic is sent directly to the internet. The three supported methods for creating these rules are:

1.B. URL Category:
Traffic destined for websites belonging to a specific URL category (e.g., "financial-services," "health-and-medicine," "not-resolved") can be either tunneled or excluded from the tunnel.
2.C. Destination Domain:
Traffic destined for a specific fully qualified domain name (FQDN) (e.g., sensitive-app.corp.com) can be matched and the tunnel action applied.
3.F. Client Application Process:
Traffic generated by a specific application process running on the endpoint (e.g., my_browser.exe, company_erp.exe) can be forced through the tunnel or allowed to go direct.

Why the Other Options Are Incorrect:
A. Destination user/group:
Split tunnel rules are based on network traffic characteristics (domain, IP, URL, application), not on the user identity. User/Group is used elsewhere in GlobalProtect for authentication and connection policies, but not for defining split tunnel traffic matches.
D. Video streaming application:
This is a specific use case, not a configurable matching criterion. While you could create a rule based on the URL category "streaming-media" or the application "netflix," "video streaming application" itself is not a selectable option in the split tunnel configuration.
E. Source Domain:
Split tunnel policies are concerned with the destination of the traffic (where it's going), not its source domain. The source is always the GlobalProtect client.

Reference:
Palo Alto Networks Administrator Guide | GlobalProtect | Gateway Configuration | Split Tunnel:
The official documentation lists the specific Include List and Exclude List criteria for split tunneling, which are: IP Address, Domain, URL Category, and Application. "Application" here refers to the Client Application Process.

A. Create the appropriate rules with a Block action and apply them at the top ol the Security Pre-Rules.

Explanation:
In Panorama-managed environments, Security Pre-Rules are evaluated before local firewall rules and Security Post-Rules. To ensure that block rules targeting malicious traffic are enforced with high priority, they should be placed at the top of the Security Pre-Rules within the relevant device group.

This guarantees that:
The rules are evaluated before any local or post-rule policies
Malicious traffic is blocked early in the rule evaluation process
The policy applies consistently across all firewalls in the device group
Security Pre-Rules are ideal for centralized enforcement of critical policies like threat blocking, geo-IP restrictions, or known bad IPs/domains.

❌ Why Other Options Are Incorrect:
B. Security Post-Rules These are evaluated after local firewall rules. Placing block rules here risks them being overridden or missed entirely.
C. Local firewall Security rules These are evaluated after Pre-Rules. In Panorama deployments, centralized control is preferred for consistency and auditability.
D. Default Rules These are implicit rules at the bottom of the rulebase (e.g., deny all). You cannot place custom block rules here, nor do they offer high priority.

🔗 Valid References:
Ace4Sure PCNSE Question Explanation
Exam4Training PCNSE Practice
Palo Alto Networks TechDocs: Security Policy Rulebase Evaluation Order

C. Exceptions lab

Explanation:
To determine what action the firewall will take for a specific CVE (Common Vulnerabilities and Exposures), the administrator should navigate to the Exceptions tab within the Vulnerability Protection profile. This tab provides granular visibility into individual threat signatures, including those mapped to CVEs, and allows the administrator to view or override the default action (e.g., alert, drop, block).
From there, selecting “Show all signatures” enables filtering by CVE ID, threat name, or severity. The action column will display what the firewall is configured to do when that specific CVE signature is triggered.
This is confirmed in Palo Alto’s Threat Signature Exception documentation.

❌ Why the other options are incorrect
A. The profile rule action:
This shows the general action for the rule (e.g., alert or block), but not per-CVE granularity. It doesn’t reveal what happens for a specific CVE signature.
B. CVE column:
This column helps identify which CVE a threat signature maps to, but it doesn’t show the firewall’s configured action. It’s informational only.
D. The profile rule threat name:
Like the CVE column, this helps locate the signature but doesn’t show or control the action taken. You must go to the Exceptions tab to see or change the action.

D. test vpn tunnel

Explanation:

1.What the Command Does
test vpn tunnel → Manually initiates an IPSec VPN tunnel.
This command triggers Phase 1 (IKE SA) and Phase 2 (IPSec SA) negotiation.
Useful when troubleshooting site-to-site VPNs — you don’t have to wait for interesting traffic to bring the tunnel up.

2.Other Options (Why Not?)
A. test vpn ike-sa
→ Tests and verifies IKE Security Association (Phase 1). Does not bring the tunnel fully up.
B. test vpn gateway
→ Tests the IKE gateway configuration (Phase 1 negotiation only). Again, not the whole tunnel.
C. test vpn flow
→ Simulates VPN flow lookup and path determination. Used for checking whether traffic matches a VPN configuration, not for initiating the tunnel.

3.Best Practice in Troubleshooting
1.Start with:
show vpn flow
show vpn ike-sa
show vpn ipsec-sa

2.Then use:
test vpn tunnel
to force negotiation.

Reference (Official Docs):
Palo Alto Networks — CLI Commands for Troubleshooting IPSec VPNs 🔗 PAN-OS CLI VPN Commands

B. Telemetry data is uploaded into Strata Logging Service.
D. Telemetry data is shared in real time with Palo Alto Networks.

Explanation:

What Device Telemetry Does:
Device Telemetry in PAN-OS allows Palo Alto Networks to collect information from firewalls to improve product reliability, threat prevention, and customer support.
Data types include device health, configuration usage, feature adoption, threat samples, and system statistics.

Privacy/Security Consideration:
Since the data goes outside the company’s infrastructure, an organization must ensure compliance with local data privacy and data storage laws (e.g., GDPR in EU).

Option Review
A. Telemetry feature is automatically enabled during PAN-OS installation. ❌
→ False. By default, Device Telemetry is disabled. It must be explicitly enabled by an administrator.
B. Telemetry data is uploaded into Strata Logging Service. ✅
→ Correct. Data is stored in Palo Alto’s Strata Logging Service (SLS), which may be hosted in specific regions (e.g., US, EU). If regulations restrict data export, the company must review this.
C. Telemetry feature is using Traffic logs and packet captures to collect data. ❌
→ Incorrect. Device Telemetry does not use packet captures or forward raw traffic logs. It collects metadata/statistics/configuration health only.
D. Telemetry data is shared in real time with Palo Alto Networks. ✅
→ Correct. Because telemetry data is streamed to PAN in near-real time, companies under strict privacy laws must confirm whether this sharing complies with legal requirements.

Reference:
Palo Alto Networks TechDocs – About Device Telemetry
Palo Alto KB – Device Telemetry FAQ

D. No, because the action for the wildfire-virus is "reset-both."

Explanation:

1.The "allow" action is for the application, not the *threat:**
The first log line shows the application flash was initially allowed by the rule General Web Infrastructure. This means the firewall permitted the session to be established for application identification and further inspection.
An allow action on an App-ID rule does not mean threats within that session are also allowed. The firewall continues to inspect the traffic for threats.

2.The "reset-both" action is the definitive outcome:
Subsequent logs show the flash file was analyzed by the WildFire and virus threat prevention engines.
Crucially, the wildfire-virus and virus log entries both have an action of reset-both.
A reset-both action immediately terminates the TCP session by sending TCP reset (RST) packets to both the client and server. This prevents the completion of the transfer, meaning the file was not successfully downloaded to the user's endpoint.

3.Why the other options are incorrect:
A. No, because the URL generated an alert.
- While the url category did generate an alert, this is just a log entry. The alert action itself does not block traffic. The session was ultimately terminated by the more severe reset-both action from the virus detection.
B. Yes, because both the web-browsing application and the flash file have the 'alert' action.
- The alert action for the file and url events is informational and does not override the subsequent reset-both action, which is a blocking action. The presence of an alert does not mean the session was allowed to complete.
C. Yes, because the final action is set to 'allow.
' - This is a misinterpretation of the log. The allow action is the first event for the application. The subsequent security subsystem events (wildfire-virus, virus) have their own actions which take precedence and override the initial application allow.

Reference:
Palo Alto Networks Administrator Guide | Security Policy Rulebuilding | Rule Evaluation Order: Security profiles (Threat, Vulnerability, WildFire, etc.) are evaluated after the Security policy rule. A traffic flow is only ultimately permitted if it is allowed by the App-ID rule and not blocked by any security profile. A reset-both action from a security profile will always block the session.
Action Definitions: In the context of logs, reset-both is a definitive blocking action that terminates a session in progress.

D. HA2

Explanation:
In a Palo Alto Networks High Availability (HA) configuration, synchronization between HA peers ensures that the passive firewall can seamlessly take over if the active firewall fails. The HA2 link is responsible for synchronizing session information, including active sessions, IPsec security associations (SAs), and other data plane states, between the HA peers. This link operates over a dedicated data interface or in-band and uses a proprietary protocol to replicate real-time session data, enabling the passive firewall to maintain continuity during a failover.

Why Other Options Are Incorrect:
A. HA1:
The HA1 link is used for control plane synchronization, including HA configuration, heartbeats, and state information (e.g., active/passive status), but it does not synchronize session data. It typically uses a dedicated management interface or in-band connection. The PCNSE Study Guide clarifies its control plane role.

B. HA3:
HA3 is not a standard HA link in Palo Alto Networks firewalls. The HA architecture includes HA1 and HA2, with no defined HA3 link for synchronization or other purposes. The PAN-OS 11.1 Administrator’s Guide confirms the absence of HA3.

C. HA4:
HA4 is also not a recognized HA link in PAN-OS. The synchronization process is limited to HA1 and HA2, and no documentation supports HA4 as a functional component. The PCNSE Study Guide reinforces the HA1/HA2 framework.

Practical Steps:
Navigate to Device > High Availability > General.
Configure the HA2 link by selecting a data interface or enabling in-band synchronization.
Set the HA2 backup link (optional) for redundancy under HA2 Backup.
Ensure matching HA2 settings (e.g., IP address, port) on both peers.
Commit the configuration.
Verify synchronization status via Device > High Availability > Operational Commands > Show HA State or CLI show high-availability state.
Check session sync via Monitor > System Logs for HA-related messages.

Additional Considerations:
Ensure sufficient bandwidth on the HA2 link, as session sync can be data-intensive. Use a dedicated HA2 link for large-scale deployments to avoid performance impacts. Confirm PAN-OS version (e.g., 11.1) supports HA2, which it does by default.

References:
Palo Alto Networks PAN-OS 11.1 Administrator’s Guide:
Details HA2 for session synchronization. Palo Alto Networks PCNSE Study Guide: Explains HA link responsibilities.