C. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the Trusted Root CA check box, aid commit the configuration.

Explanation:
To meet both customer requirements under SSL Forward Proxy decryption, the firewall must:

1.Trust the certificate chain of https:
//www.very-important-website.com so it can re-sign the certificate using the Forward Trust CA (not the Untrusted CA).
2.Continue using the Forward Untrust CA
for any other site with an untrusted certificate chain, so users still receive warnings for those.

The correct way to achieve this is:
Import the Well-Known Intermediate CA and Well-Known Root CA into the Default Trusted Certificate Authorities store.
Mark them as Trusted Root CAs.
This allows the firewall to recognize the original server certificate as trusted, and therefore use the Forward Trust CA to re-sign it for the client.
Other sites with untrusted chains will still trigger the Forward Untrust CA, preserving the warning behavior.
This approach aligns with Palo Alto Networks’ best practices for selective trust handling during SSL decryption.

❌ Why the Other Options Are Incorrect:
A. Install the Well-Known CAs on end-user systems
→ This does not affect how the firewall signs certificates. The issue is with the firewall using the Untrusted CA, not the client rejecting a valid cert.
B. Clear the Forward Untrust-CA Certificate check box
→ This disables the firewall’s ability to warn users about truly untrusted sites, violating requirement #2.
D. Import into Device Certificates
→ Device Certificates are used for firewall identity and authentication, not for trust evaluation of external server certificates.

📚 Reference:
Configure SSL Forward Proxy – PAN-OS Admin Guide
Knowledge Base – Access Fails with Certificate Error When SSL Forward Proxy is Enabled

C. Syslog Parse profile

Explanation:

Why This Option?
1.User-ID Agent Syslog Processing:
The User-ID agent monitors syslog messages (e.g., from Active Directory, VPN servers) to extract login/logout events.
To interpret these events, it uses a Syslog Parse Profile, which defines:
Patterns (regex) to match syslog messages.
Fields to extract (e.g., username, IP address).
2.Configuration:
Profiles are configured under:
Device > User Identification > User-ID Agents > [Agent] > Syslog Parse Profile.
Predefined profiles exist for common sources (e.g., Cisco ASA, Windows Security Logs).

Why Not Other Options?
A.Syslog Server profile is for receiving syslog, not parsing.
B.Authentication log is a log type, not a parsing tool.
D.Log Forwarding profile sends logs, doesn’t parse them.

Reference:
Palo Alto User-ID Agent Guide:
"Syslog Parse Profiles map raw syslog messages to IP-user mappings for User-ID."

A. Outdated plugins

Explanation:

1.Panorama Upgrade Dependencies
When upgrading Panorama, you must ensure that any installed plugins (such as Cloud Services, SD-WAN, etc.) are updated to a version that is compatible with the target PAN-OS release.
If you try to upgrade Panorama while plugins are outdated or incompatible, the install will fail with a compatibility error.

2.Why Not the Other Options?
B. GlobalProtect agent version
→ That applies to endpoint VPN client upgrades and compatibility with PAN-OS, but does not block Panorama upgrades.
C. Expired certificates
→ Can cause SSL/TLS trust issues or service disruptions, but will not prevent a PAN-OS upgrade installation.
D. Management only mode
→ A Panorama in management-only mode still upgrades normally. This mode only disables log collection, not upgrades.

3.Best Practice Before Upgrade
Always check the Release Notes of the target PAN-OS version.
Palo Alto explicitly lists the minimum plugin versions required before upgrading Panorama.
Upgrade the plugins first, then upgrade Panorama software.

Reference:
Palo Alto Networks — Before You Begin Panorama Upgrade
🔗 Upgrade the Panorama Software (PAN-OS Admin Guide

A. Change the firewall management IP address
C. Add administrator accounts
E. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Explanation:
Template Stacks in Panorama are used to push network and device-level configurations (e.g., interfaces, zones, virtual routers, DNS, NTP) to managed firewalls. However, certain system-level and administrative settings cannot be configured via templates and must be done directly on the firewall or in the device-specific context in Panorama.

Tasks That CANNOT Be Configured via Template Stack:
A. Change the firewall management IP address:
This is a device-specific system setting configured under Device > Setup > Management on the firewall itself or in the Device Settings for the specific firewall in Panorama. It cannot be defined in a shared template.
C. Add administrator accounts:
Administrator accounts are system-wide settings managed under Device > Administrators. These are not part of network configuration and are applied directly to the firewall's management plane, not pushed via templates.
E. Enable operational modes (e.g., normal, multi-vsys, FIPS-CC mode):
These are device-specific modes that define the fundamental operation of the firewall. They are set under Device > Setup > Operations on the local firewall and cannot be controlled by a template.

Why the Other Options Are Incorrect:
B. Configure a device block list:
This is a security policy object (Address or Address Group) that can be configured in a Device Group and pushed from Panorama. It is not a template-specific feature.
D. Rename a vsys on a multi-vsys firewall:
While vsys creation/deletion is device-specific, renaming a vsys can be done via a template if the vsys is managed by that template. The template defines the vsys structure and its name.

Reference:
PAN-OS documentation specifies that templates manage network settings, while device-specific configurations (e.g., management IP, admin accounts, operational modes) are configured in Device Settings or locally on the firewall (PAN-OS Administrator’s Guide, "Templates" section). Operational modes like FIPS require a reboot and are immutable via templates.

B. Tentative

Explanation:
In an active/active HA configuration, firewalls monitor specific interfaces or paths (e.g., data links) beyond just the HA control link. When a firewall detects a failure in one of these monitored paths (e.g., a critical data interface goes down), it enters the Tentative state.

Tentative State:
This is a transitional state where the firewall suspects a problem but has not yet taken action (like triggering a failover). It continues to communicate with its peer to determine the severity of the issue. If the path failure is confirmed, the firewall may then change state (e.g., to non-functional) and potentially trigger a failover if it affects its ability to process traffic.

Why the Other Options Are Incorrect:
A. Initial:
This is the state when the firewall is booting up and initializing HA, before it establishes communication with its peer.
C. Passive:
This state is used in active/passive HA, where the firewall is fully functional but does not process traffic unless the active peer fails. It is not a state for path monitoring failures.
D. Active-secondary:
This is a healthy state in active/active HA where the firewall is processing traffic for its assigned context (e.g., a specific vsys). It does not indicate a failure.

Reference:
PAN-OS HA documentation defines the Tentative state as the state a member enters when it detects a monitored interface or path failure but is still operational and communicating with its peer (PAN-OS Administrator’s Guide, "High Availability States" section). This allows for graceful handling of partial failures without immediate, disruptive failovers.

A. NTP Server Address
C. Authentication Profile
D. Service Route Configuration

Explanation:
Templates in Panorama are used to push network and device-level configurations to managed firewalls. These settings are consistent across devices and include foundational system services. The following can be configured in a template:

A. NTP Server Address:
This is a device-level setting under Device > Setup > Services. It ensures time synchronization across all firewalls, which is critical for logging and correlation.
C. Authentication Profile:
Used for administrative access or user authentication, this is configured under Device > Authentication Profile. It defines how the firewall integrates with external authentication servers (e.g., RADIUS, LDAP).
D. Service Route Configuration:
This determines the path for management services (e.g., DNS, NTP, PAN-DB updates) and is set under Device > Setup > Services > Service Route Configuration. It ensures consistent outbound management traffic behavior.

Why the Other Options Are Incorrect:
B. Antivirus Profile:
This is a security object configured in Objects > Security Profiles. Security profiles are managed in Device Groups, not templates, as they are part of the policy configuration, not the network/device setup.
E. Dynamic Address Groups:
These are policy objects that use tags to dynamically group addresses. They are configured in Objects > Address Groups and are managed in Device Groups, not templates.

Reference:
PAN-OS documentation specifies that templates manage network and device settings (e.g., interfaces, zones, virtual routers, services like NTP, and authentication profiles), while Device Groups manage policy-related configurations (e.g., security rules, profiles, address objects) (PAN-OS Administrator’s Guide, "Templates" section).

A. certificates

Explanation:
To establish a Palo Alto Networks firewall as a trusted third party for SSL/TLS decryption, the firewall must use certificates—specifically:
A Forward Trust Certificate:
Used to sign impersonated server certificates during SSL Forward Proxy. This certificate must:
Be a CA certificate
Include the private key
Be trusted by client devices (either self-signed and distributed, or signed by an enterprise CA)
A Forward Untrust Certificate:
Presented to clients when the firewall encounters a server certificate that is untrusted, ensuring users receive proper warnings.
These certificates allow the firewall to intercept, decrypt, inspect, and re-encrypt SSL/TLS traffic while maintaining trust between client and server.

📘 Authoritative Source:
Palo Alto Networks – Configure SSL Forward Proxy