C. Yes - Firewall-02 takes over as the active-primary firewall; firewall-01 takes over as the active-primary member after it becomes functional.

Explanation:
In a preemptive Active-Passive HA configuration, the firewall with the lower priority value is designated to preemptively reclaim the active role once it becomes healthy again.

In this scenario:
Firewall-01 has a priority of 90
Firewall-02 has a priority of 100
Preemption is enabled
So when Firewall-01 reboots, Firewall-02 becomes active-primary. Once Firewall-01 comes back online and passes all health checks, it preempts and reclaims the active role, because it has the lower priority value.
📚 Reference:
Palo Alto Networks – HA Election Settings and Preemption

❌ Why Other Options Are Wrong:
A. Incorrect — priority does not prevent reboot.
B. Incorrect — action is taken when the active firewall fails.
D. Incorrect — preemption causes firewall-01 to reclaim the active role.

A. By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

Explanation:
To confirm that WildFire has identified a virus, the administrator must check the WildFire Submissions log. This log specifically tracks files submitted to WildFire and their verdicts.
The filter (subtype eq wildfire-virus) targets entries where WildFire has classified a file as malware (virus).
Threat logs (options B and D) show broader threat activity but do not confirm WildFire verdicts.
Traffic logs (option C) do not contain WildFire verdicts at all.

📘 Reference:
WildFire Log Review – Palo Alto Networks
PCNSE WildFire Log Filter Guide

B. Layer 3
C. Layer 2
E. Virtual Wire

Explanation:
SSL Forward Proxy is a decryption method where the firewall acts as a man-in-the-middle for outbound SSL/TLS connections from trusted internal users to external sites. It requires the firewall to be an active, in-line participant in the traffic flow to intercept, decrypt, inspect, and re-encrypt the traffic. The three interface types that support this are:

B. Layer 3:
This is a standard routed mode deployment. The firewall is the default gateway for the internal users, allowing it to easily intercept and decrypt outbound traffic destined for the internet.
C. Layer 2:
In Layer 2 (switched) mode, the firewall operates as a transparent bridge but is still an active in-line device. It can see and intercept all traffic between the internal and external segments for SSL Forward Proxy.
E. Virtual Wire:
This is also a transparent, non-routed mode of operation. The firewall is placed directly in the path of the traffic (like a bump on the wire) without requiring IP address changes. As an in-line device, it fully supports SSL Forward Proxy decryption. Why the Other Options Are Incorrect:
A. High availability (HA):
HA is a functional mode, not an interface type. HA pairs use one of the supported interface types (Layer 3, Layer 2, or Virtual Wire) and inherit their decryption capabilities. You cannot configure an interface as an "HA" type.
D. Tap:
In TAP mode, the firewall only receives a copy of the traffic for monitoring purposes. It is not an in-line device and therefore cannot intercept, decrypt, or block traffic. SSL Forward Proxy requires active interception, which is impossible in TAP mode.

Valid Reference:
Palo Alto Networks Administrator Guide | SSL Decryption | Decryption Deployment Models: The documentation specifies that SSL Forward Proxy decryption is supported on firewalls deployed in Layer 3, Layer 2, and Virtual Wire modes. It explicitly states that TAP mode does not support decryption because the firewall is not in the traffic path.

A. It can run on a single virtual system and multiple virtual systems.

Explanation:
In a Palo Alto Networks NGFW configured with multiple virtual systems (vsys), each vsys operates as an independent firewall instance. To enable inter-vsys communication—that is, traffic flowing between zones in different vsys without leaving the physical appliance—you must configure an external zone.

Here’s how it works:
An external zone is a special type of zone that represents another vsys within the same firewall.
It’s not tied to any interface, unlike regular zones.
It allows traffic to be routed internally between vsys, enabling policy enforcement and App-ID inspection across virtual boundaries.
Each vsys can have only one external zone, and it must be explicitly configured to allow traffic to/from another vsys.
This setup is essential for scenarios like shared services, centralized logging, or inter-vsys segmentation where traffic should remain inside the appliance.

❌ Why the Other Options Are Incorrect:
B. While the traffic is leaving the appliance
→ Incorrect. External zones are specifically designed to keep traffic inside the firewall.
C. Same external zone used on different vsys
→ Misleading. Each vsys must define its own external zone; they are not shared across vsys.
D. Multiple external zones per vsys
→ Invalid. A vsys can have only one external zone, by design2.

📚 References:
Palo Alto Networks – External Zone Configuration
PCNSE Guide – Role of External Zones in Multi-VSYS Environments

A. Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

Explanation:
The image confirms that Heartbeat Backup is showing as Down in the HA dashboard. This typically means the firewall is unable to communicate with its peer over the configured backup heartbeat channel.

To troubleshoot this:
Navigate to Device > High Availability > General > HA Pair Settings
Ensure the peer IP address for Heartbeat Backup is correctly configured
Verify that the interface used for heartbeat backup is up, reachable, and not blocked by firewall policies
📚 Reference:
Palo Alto Networks – Configure HA Heartbeat Backup

❌ Why Other Options Are Wrong:
B. Management Interface Settings:
Not related to heartbeat backup unless you're using the management interface for HA (rare).
C. Election Settings:
Controls HA role election — not heartbeat communication.
D. Packet Forwarding Settings:
Not relevant to heartbeat backup configuration.

D. Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack.

Explanation:
In Panorama, template stacks allow layering of multiple templates, with higher-priority templates overriding lower ones. The order matters: templates at the top of the stack take precedence when there are conflicting settings.
To assign different idle timeout values for Datacenter and BranchOffice firewalls:

Create two separate template stacks:
One for Datacenter firewalls
One for BranchOffice firewalls
In each stack, place the corresponding template (Datacenter_Template or BranchOffice_Template) at the top. This ensures that its settings—like idle timeout—override any shared or base template values beneath it.
This approach allows centralized management while preserving site-specific configurations.


❌ Why the other options are incorrect
A & B: Using a single stack with both templates risks unintended overrides. You can’t cleanly isolate settings for two distinct firewall groups this way.
C: Placing the site-specific templates at the bottom of the stack means their settings can be overridden by higher templates—defeating the purpose.

🔗 Reference:
You can find this behavior documented in Palo Alto’s Templates and Template Stacks guide

C. IPv4 Source Interface

Explanation:
When configuring service routes on a Palo Alto firewall:
By default, all services (DNS, updates, PAN-DB, WildFire, etc.) use the management interface (global setting).
In multi-vsys environments, you can override this global configuration and define service routes per virtual system.
The supported type of service route override in this context is:
IPv4 Source Interface (and Source Address if needed) → This allows traffic for services to egress from a specific data interface rather than the management interface.
This gives admins more flexibility and security by isolating services per VSYS.

❌ Why other options are incorrect
A. IPv6 Source or Destination Address
❌ Not correct.Service routes support IPv4 source interface/source address. IPv6 service routes are supported in PAN-OS, but per-vsys overrides are specifically IPv4-based.

B. Destination-Based Service Route
❌ Not correct. Service routes are configured based on the service type (e.g., DNS, updates, WildFire), not based on the destination.

D. Inherit Global Setting
❌ Not correct. This is the default behavior (inherit from global configuration). The question specifically says the engineer configures a specific service route instead of using inherited global config, so this is not the answer.

📖 Reference
Palo Alto Networks TechDocs – Service Routes
PCNSE Study Guide:
Service routes can be configured per-vsys using IPv4 source interface/address.