A. Click the hyperlink for the Zero Access.Gen threat

Explanation:
When using the Application Command Center (ACC) to investigate Blocked User Activity and identify users potentially compromised by a botnet, the most effective method is to click the hyperlink for the Zero Access.Gen threat. This action sets a global filter that narrows down all related traffic, users, and sessions associated with that specific threat.
In the screenshot, ZeroAccess.Gen Command and Control Traffic is listed as a critical spyware threat with a botnet category and a high count. Clicking its hyperlink allows the administrator to:
Apply a global filter across the ACC
View all sessions, users, and source IPs tied to this threat
Drill down into logs and threat details for forensic analysis
This is the fastest and most precise way to isolate compromised users and take remediation steps.

❌ Why Other Options Are Incorrect:
B.Click the left arrow beside the Zero Access.Gen threat This expands the row for more details but does not apply a global filter. It’s useful for viewing metadata but not for narrowing down user activity.

C. Click the source user with the highest threat count This shows user-specific data but does not isolate the botnet threat. It’s reactive and less targeted than filtering by threat.

🔗 Valid References:
Palo Alto Networks Knowledge Base: Tips & Tricks: How to Use the Application Command Center (ACC)
Exam4Training PCNSE Practice: Best Method to Set Global Filter in ACC

B. High
C. Critical
E. Medium

Explanation:
Palo Alto Networks publishes Threat Prevention Best Practices that define recommended settings for Security Profiles (Vulnerability, Anti-Spyware, AV, URL, etc.).

For Anti-Spyware Profiles, best practices include:
Enable single-packet capture for severities Medium, High, and Critical
→ This allows administrators to analyze malicious sessions more effectively without capturing unnecessary benign traffic.
Do NOT enable packet capture for Low or Informational severities
→ These typically represent lower-risk or informational events that would unnecessarily consume disk space and processing.
🔹 So, Medium + High + Critical = the three severity levels where single-packet capture should be enabled.

Why not the others?
A. Low ❌ → Too much noise, not best practice.
D. Informational ❌ → Only logs metadata, doesn’t require packet capture.

Reference:
Palo Alto Networks TechDocs: Anti-Spyware Profile Best Practices
Best Practice Guidance: Enable Single-Packet Capture for medium, high, and critical severities.

A. External zones with the virtual systems added.
D. Add a route with next hop next-vr by using the VR configured in the virtual system
E. Ensure the virtual systems are visible to one another.

Explanation:
For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:
A. External zones with the virtual systems added:
External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.
D. Add a route with next hop next-vr by using the VR configured in the virtual system:
When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.
E. Ensure the virtual systems are visible to one another:
Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.
By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.

C. Destination Zone DMZ, Destination IP address 2.2.2.1

Explanation:
When configuring a Policy-Based Forwarding (PBF) rule on a Palo Alto Networks firewall, you're essentially overriding the routing table based on specific traffic attributes. Two valid components that can be used in a PBF policy are:

Custom Application:
You can define PBF rules based on applications, including custom-defined ones. This allows traffic matching specific app signatures (e.g., internal business apps) to be forwarded via a designated path.
Source Interface:
PBF policies can match traffic based on the ingress interface. This is useful when multiple interfaces feed into the firewall and you want to forward traffic differently based on where it enters.
These components are part of the match criteria in the PBF rule configuration.

❌ Why the Other Options Are Incorrect:
A. Schedule
Schedules are used in Security Policies, not PBF.
PBF rules are always active unless explicitly disabled or tied to a monitor profile for failover.
B. Source Device
“Source Device” is not a valid match criterion in PBF.
You can match by source zone, address, user, or interface, but not by device identity.

Reference:
Palo Alto Networks – Create a Policy-Based Forwarding Rule
GNS3 Network – How to Configure PBF on Palo Alto Firewall

D. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers

Explanation:
When configuring the Palo Alto Networks Windows User-ID agent to monitor login events, the administrator must explicitly tell the agent which servers to monitor. This is a crucial step because the agent needs to know exactly where to pull the security event logs from to create user-to-IP mappings.
The User-ID agent has a "Server Monitoring" feature where you specify each server's IP address and its type (e.g., Microsoft Active Directory, Microsoft Exchange, Syslog Sender).
The agent will then connect to each specified server and read its security event logs for login events. This is the only way for the agent to ensure it captures all user authentication activities from every relevant source in the environment.
Therefore, since the company has four AD servers and two Exchange servers, the administrator must provide the IP address and the correct server type for all six servers to the User-ID agent.

Why the Other Options are Incorrect
A. Network ranges:
The User-ID agent's server monitoring feature requires you to specify individual server addresses, not entire subnets. While you can include/exclude networks for user mapping, you still need to specify the individual servers to monitor for login events.
B. A single network range:
This is incorrect for the same reason as A. The agent needs to know the specific servers to monitor. Also, providing the parent subnet 192.168.28.32/27 without specifying the server types would be ambiguous and would not allow the agent to correctly identify the logs to parse.
C. Auto Discover:
The "Auto Discover" feature for the User-ID agent is a convenience that automatically finds Active Directory domain controllers using DNS lookups. However, it does not automatically discover Exchange servers. Therefore, even with "Auto Discover" enabled, the administrator would still need to manually add the two Microsoft Exchange servers. The only complete solution is to manually add all six.

C. Resources Widget on the Dashboard

Explanation:
To view CPU utilization for both the management plane and data plane on a Palo Alto Networks firewall, the administrator should use the Resources widget on the Dashboard. This widget provides real-time visibility into system performance metrics, including:

Management Plane CPU:
Reflects usage by system processes such as routing daemons, authentication services, and the web interface.
Data Plane CPU:
Indicates how much processing power is being used to handle traffic, session management, and packet forwarding.

This widget is accessible via:
Web UI > Dashboard > Widgets > Resources
It offers a quick and centralized view of system health, helping administrators identify performance bottlenecks, excessive load, or potential hardware issues.

❌ Why Other Options Are Incorrect:
A. Support > Resources This section is used for support-related diagnostics and file generation, not for live CPU monitoring.
B. Application Command and Control Center (ACC) ACC provides visibility into traffic patterns, threats, and applications—not system resource usage.
D. Monitor > Utilization This tab shows interface and bandwidth statistics, not CPU metrics for management or data planes.

References:
Palo Alto Networks TechDocs:Dashboard Widgets Overview
LIVEcommunity Discussion: How Management CPU and Data Plane CPU Work Exam4Training PCNSE Practice: Where to View CPU Utilization

A. show system setting ssl-decrypt certificate

Explanation:
This is the primary CLI command used to display the details of all certificates installed on the firewall that are specifically used for SSL Decryption. This includes:

Forward Trust Certificate:
The CA certificate used to sign the dynamically generated certificates for sites in the Forward Trust list (sites that will not be decrypted).
Forward Untrust Certificate:
The CA certificate used to sign the dynamically generated certificates for sites that are decrypted using SSL Forward Proxy.
SSL Inbound Inspection Certificate:
The certificate (and its private key) presented by the firewall when it acts as the server for inbound decrypted connections.
Running this command provides a summary of these key certificates, including their issuers, expiration dates, and other details, which is essential for troubleshooting decryption failures.

Why the Other Options Are Incorrect:
B. show system setting ssl-decrypt certs:
This is not a valid CLI command.
C. debug dataplane show ssl-decrypt ssl-certs:
This is not a standard, documented command for viewing the configured decryption certificates. It appears to be a malformed attempt at a dataplane debug command, which would be used for much lower-level packet analysis, not for viewing certificate configurations.
D. show system setting ssl-decrypt certificate-cache:
This command is used to view the cache of dynamically generated certificates, not the root CA certificates used to generate them. It's for troubleshooting performance or cache-related issues, not for checking the core configuration of the Forward Trust/Untrust CAs.

Valid Reference:
Palo Alto Networks Administrator Guide | SSL Decryption | Troubleshoot SSL Decryption | CLI Commands: The official documentation lists the show system setting ssl-decrypt certificate command as the method to "display the forward trust certificate, forward untrust certificate, and the certificates used for inbound inspection." This is the definitive command for this purpose.