PCNSE Questions Bank

In an active/active high availability (HA) firewall pair, the firewall that is currently processing traffic is in the “Active” state. This state indicates that the firewall is fully functional and can own sessions and set up sessions. An active firewall can be either active-primary or active-secondary, depending on the Device ID and the HA configuration. An active-primary firewall connects to User-ID agents, runs DHCP server and DHCP relay, and matches NAT and PBF rules with the Device ID of the active-primary firewall. An active-secondary firewall connects to User-ID agents, runs DHCP server, and matches NAT and PBF rules with the Device ID of the active-secondary firewall. An active-secondary firewall does not support DHCP relay1. References: HA Firewall States, PCNSE Study Guide (page 53)

traffic log would list an application as “not-applicable” if the firewall denied the traffic before the application match could be performed. This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1. In this case, the firewall does not inspect the application data and discards the traffic, resulting in a “not-applicable” entry in the application field of the traffic log1.

In Palo Alto Networks firewalls, the order of evaluation for blocking access to specific URLs involves several components, including URL Filtering profiles and Security policy rules. Among the options listed, the Custom URL category in a Security policy rule is evaluated last in the processing order. This is because the firewall processes Security policy rules after URL Filtering profiles. If a URL matches a Custom URL category in a Security policy rule, this rule will override any allow actions in URL Filtering profiles due to the hierarchical nature of policy evaluation. Security policies provide the final verdict on whether traffic is allowed or denied, making them the last line of evaluation for access control, including URL blocking.