PCNSE Certification 61-139

61- An administrator has configured OSPF with advanced routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPFD was configured, the administrator noticed that OSPF routes were not being learned. Which two actions could an administrator take to troubleshoot the issue? (Choose two.). Look for configuration problems in Network> virtual router > OSPF. In the WebUI, view Runtime Stats in the logical router. Run the CLI command show advanced-routing ospf neighbor. In the WebUI, view Runtime Stats in the virtual router.

62- A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection. SYN Random Early Drop. TCP Drop. ICMP Drop. TCP Port Scan Block.

63- An administrator wants to use LDAP, TACAS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profiles in order kerberos, LDAP, and TACAS+?. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user. If the authentication times out for the first Authentication profile in the authentication sequence, no further authentication attempts will be made. The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user. The priority assigned to the Authentication profile defines the order of the sequence.

64- An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewalls dashboard is showing as down. What could an administrator do to troubleshoot the issue?. Go to Devices> High Availability > HA communications > General > and check the heartbeat Backup under Election Settings. Check peer IP address for heartbeat backup to Devices > High Availablity > HA communications > Packet Forwarding Settings. Go to Devices > High Availablity > General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup. Check peer IP address in the permit list in Device > Setup > Management > interfaces > Management interface Settings.

65- Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not?. Yes, because the action is set to "alert". No, because the severity is high and the verdict is malicious. because this is an example from a defeated phishing attack. Yes, because the action is set to "allow".

66- An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls. What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?. Configure a floating IP between the firewall pairs. On one pair of firewalls, run the CLI command set network interface vlan arp. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN. Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

67- How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu. Panorama provides visibility all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor resource utilization on managed firewalls. Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send email alerts. panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

68- Which log type would provide information about traffic blocked by a Zone Protection profile?. Threat. IP-Tag. Traffic. Data Filtering.

69- An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?. The profile rule threat name. Exceptions tab. CVE column. The profile rule action.

70- A network security administrator has been tasked with deploying User-ID in their organization. What are three valid methods of collecting User-ID information in a network? (choose three). Windows User-ID agent. External dynamic list. Dynamix user groups. GlobalProtect. XML API.

71- A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a web server hosted behind the edge firewall. The pre-NATIP address of the server is 153.6.12.10, and the post-NATIP address is 192.168.10.10. refer to the routing and interface information below. What should the NAT rule destination zone be set to?. Inside. Outside. None. DMZ.

72- Which source is the most reliable for collecting User-ID user mapping?. Microsoft Exchange. Microsoft Active Directory. Syslog Listener. GlobalProtect.

73- A firewall administrator has been tasked with ensuring that all firewalls forward system logs to Panorama. In which section is this configured?. Device> Log Settings. Panorama > managed Devices. Objects > Log Forwarding. Monitor > Logs > system.

74- How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?. Enable Advanced routing Engine in Device > Setup > Session > Session Settings, then commit and reboot. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

75- An organization in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy. Which PAN-OS proxy method should be configured to maintain this type of traffic flow?. Transparent proxy. Explicit proxy. SSL forward proxy. DNS proxy.

76- Which type of zone will allow different virtual systems to communicate with each other?. External. Tunnel. Tap. Virtual Wire.

77- An engineer configures SSL decryption in order to have more visibility to the internal user's traffic when it is egressing the firewall. Which three types of interfaces support SSL forward Proxy? (choose three). Layer 3. High availability. Tap. Virtual Wire. Layer 2.

78- An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below. Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA peer?. Additional Master Hold Up Time. Heartbeat interval. Monitor Fail Hold Up Time. Promotion Hold Time.

79- Which three methods are supported for split tunneling in the GlobalProtect Gateway? (choose three). URL category. Video streaming application. Destination Domain. Source Domain. Destination user/group. Client Application Process.

80- An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (choose two). Inherit parent Security policy rules and objects. Inherit IPSec crypto profiles. Inherit settings from Shared group. Inherit all security policy rules and objects.

81- After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?. Push the Template first, then push Device Group to the newly managed firewall. Perform the Export or push Device Config Bundle to the newly managed firewall. Ensure Force Template values is checked when pushing configuration. Push the Device Group first, then push Template to the newly managed firewall.

82. An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer verify whether packet buffer protection was activated?. Configuration. Traffic. Data Filtering. Threat.

83- An Organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0. What are two benefits of using an explicit proxy method versus a transparent proxy method? (choose two). No client configuration is required for explicit proxy, which simplifies the deployment complexity. Explicit proxy supports interception of traffic using non-standard HTTP ports. Explicit proxy allows for easier troubleshooting since the client browser is aware of the existence of the proxy. it supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request.

84- A firewall creates a new App-ID report under Monitor > Application Reports > New Applications to monitor new applications on the network and better asses any security policy updates the engineer might want to make. How does the firewall identify the New App-ID characteristic?. It matches to the new App-IDs downloaded in the last 90 days. It matches to the new App-IDs downloaded in the last 30 days. It matches to the new App-IDs in the most recently installed content releases. It matches to the new App-IDs installed since the last time the firewall was rebooted.

85- Refer to the diagram, Users at an internal system want to SSH to the SSH server. The server si configured to respond only to the ssh requests coming from IP 172.16.15.1 in order to reach SSH server only from the Trust Zone. Which Security rule and NAT rule must be configured on the firewall?. NAT Rule: Source Zone: Trust Source IP: 192.168.15.0/24 Destination Zone: trust Destination IP: 192.168.15.1 Destination Translation: Static IP / 172.16.15.10 Security Rule: Source Zone: Trust Source IP: 192.168.15.0/24 Destination Zone: Server Destination IP: 172.16.15.10 Application: SSH. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source translation: dynamic-ip-and-port / ethernet 1/4 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: trust Destination IP: 192.168.15.1 Destination Translation: Static IP / 172.16.15.10 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Application: SSH. NAT Rule: Source Zone: Trust Source IP: Any Destination Zone: Server Destination IP: 172.16.15.10 Source Translation: Static IP / 172.16.15.1 Security Rule: Source Zone: Trust Source IP: Any Destination Zone: Trust Destination IP: 172.16.15.10 Application: SSH.

86- An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (choose three). NTP server Address. Service Route Configuration. Antivirus Profile. Authentication profile. Dynamic Address Groups.

187- An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?. A Master device. Authentication Portal. a User-ID agent on the LDAP server. A service route to the LDAP server.

88- A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which security profile should be applied to a policy to prevent these packet floods?. URL Filtering profile. Data Filtering profile. Dos Protection profile. Vulnerability Protection profile.

89- An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. The WildFire Global Cloud only provides bare metal analysis. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

90- An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?. The active firewall, which then synchronizes to the passive firewall. The passive firewall, which then synchronizes to the active firewall. Both the active and passive firewalls independently, with no synchronization afterward. Both the active and passive firewalls, which then synchronize with each other.

91- Refer to the exhibit. An organization ahs Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/security platforms?. Any configuration on an M-500 would address the insufficient bandwidth concerns. Configure log compression and optimization features on all remote firewalls. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

92- When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?. Export device state. Save candidate config. Load named configuration snapshot. Load configuration version.

93- An engineer is reviewing policies after a PAN-OS upgrade. What are the two differences between Highlight unused rules and the rule usage hit counter immediately after a reboot? (choose two). Rule usage hit counter will reset. Rule usage hit counter will not be reset. Highlight unused rules will highlight zero rules. Highlight unused rules will highlight all rules.

94- A consultant advises a client on designing an explicit web proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in their environment. Which two pieces of information should the consultant provide the client regarding web proxy authentication? (choose two). Kerberos or SAML authentication need to be configured. LDAP or TACAS+ authentication need to be configured. RADIUS is only supported for a transparent web proxy. RADIUS is not supported for explicit or transparent web proxy.

95- Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify?. PAN-OS versions. Security policy. Proxy-IDs. IKE crypto profile.

96- In the new App viewer under policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?. The running configuration with the candidate configuration of the firewall. The security rule with any other security rule selected. Applications configured in the rule with their dependencies. Applications configured in the rule with applications seen from traffic matching the same rule.

97- What can be used as an action when creating a policy-based forwarding (PBF) policy?. Allow. Discard. Deny. Next VR.

98- Which two factors should be considered when sizing a decryption firewall deployment? (choose two). Encryption algorithm. TLS protocol version. Number of security zones in decryption policies. Number of blocked sessions.

99- Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (choose two). LDAP. Log ingestion. HTTP. Log forwarding.

100- An engineer is tasked with deploying SSL forward Proxy decryption for their organization. What should they review with their leadership before implementation?. URL risk-based category distinctions. Legal compliance regulations and acceptable usage policies. Browser-supported cipher documentation. Cipher documentation supported by the endpoint operating system.

101- An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?. ASBR. OSPF. OSPFV3. ECMP.

102- A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.). A private key. A subject alternative name. A server certificate. A certificate authority (CA) certificate.

103- An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?. Support > Resources. Resources Widget on the Dashboard. Monitor > Utilization. Application Command and Control Center.

104- Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.). Successful GlobalProtect Connection Activity. GlobalProtec Deployment Activity. GlobalProtec Quarantine Activity. Successful GlobalProtect Deployed Activity.

105- Which link is responsible for synchronizing sessions between high availability (HA) peers?. HA2. HA3. HA4. HA1.

106- What are three prerequisites for credential phishing prevention to function? (Choose three.). In the URL filtering profile, use the drop-down list to enable user credential detection. Set phishing category to block in the URL Filtering profile. Select the action for Site Access for each category. Add the URL filtering profile to one or more Security policy rules. Enable Device-ID in the zone.

107- An engineer is tasked with web traffc in an environment without an established PKI. When using a self-signed certificate generated on the firewall, which type of certificate should be installed on client devices to ensure there are no client browser warnings when decrypting approved web traffc?. The same certificate as theforward Untrust certificate. A Public Root CA certificate. The same certificate as the Forward Trust certificate. An Enterprise Root CA certificate.

108- An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?. Reload the running configuration and perform a Firewall local commit. Perform a device group commit push fro Panorama using the "Include Device and Network Templates" option. Perform a commit force from the CLI of the firewall. Perform a template commit push from Panorama using the "Force Template Values" option.

109- In a template, which two objects can be configured? (Choose two.). application group. SD-WAN, path quality profile. Monitor profile. IPsec tunnel.

110- To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?. Add the policy to the target device group and apply a master device to the device group. Add the policy in the shared device group as a pre-rule. Reference the targeted device's templates in the target device group. Clone the security policy and add it to the other device groups.

111- Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?. Packet Based Attack Protection. Resource Protection. Flood Protection. TCP Port Scan Protection.

112- Which operation will impact the performance of the management plane?. decrypting SSL sessions. DoS protection. generating Application a SaaS report. WildFire submissions.

113- A company has recently migrated their branch offices PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama. They notice that commit times have drastically increased for thePA-220s after the migration. What can they do to reduce commit times?. Update the apps a threat version using device deployment. Perform a device group push using the "merge with device candidate config" option. Disable "Share Unused Address and Service Objects With Devices" in Panorama Settings. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

114- An administrator receives the following error message:"IKE phase -2 negotiation failed when processing Proxy ID. Received local id 192.168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?. Check wheter the VPN peer on one end is set up correctly using policy-based VPN. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

115- An engineer is configuring a firewall with three interfaces: 1. MGT connects to a switch with internet access. 2. Ethernet1/1 connects to an edge router. 3. Ethernet 1/2 connects to a virtualization network. The engineer need to configure dynamic updates to use a dataplane interface for internet traffic. What should beconfigured in Setup > devices > Service Route Configuration to allow this traffic?. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface. Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface. Set DNS and Palo Alto Networks Services to use the MGT source interface. Set DDNS and Palo Alto Networks Services to use the MGT source interface.

116- A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two.). HTTP Server. SSL/TLS Service. Interface Management. Decryption.

117- A company wants to add threat prevention to the network without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.). Layer 2. Virtual Wire. TAP. Layer 3.

118- A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?. SSL and web-browsing must both be explicitly allowed. Add web-browsing application to the same rule. Add SSL and web-browsing applications to the same rule. Add SSL application to the same rule.

119- An administrator is troubleshooting why video traffic is not being properly classified. If this traffc does not match any QOS classes, what default class is assigned?. 2. 4. 3. 1.

120- Where can a service route be configured for a specific destination IP?. Use Network > Virtual Routers, select the Virtual Router > Static Eoutes > IPv4. Use Device > Setup > Services > Service Route configuration > Customize > IPV4. Use Device > Setup > Services > Service. Use Device > Setup > Services > Service Route configuration > Customize > Destination.

121. Which three items must be configured to implement application override? (Choose three.). Decryption policy rule. Application filter. Custom app. Security policy rule. Application override policy rule.

122- Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three). Verify and Install. Upload and install and reboot. Install and reboot. Upload-only. Upload and install.

123- After implementing a new NGFW. a firewall engineer sees a Vol traffc issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports, What can the engineer do to solve the VoIP traffc issue?. Increase the TCP timeout under SIP application. Increase the TCP timeout under H.323 application. Disable ALG under SIP application. Disable ALG under H.323 application.

124- Which new PAN-OS 11.0 feature supports IPv6 traffic?. DHCPv6 Client with Prefix Delegation. OSPF. IKEv1. DHCP server.

125- Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.). Kerberos. SAML. RADIUS. LDAP. TACACS+.

126- Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.

127- Review the below. A firewall engineer creates a U-NAT rule to allow users In the trust zone access to a server in the same zone by using an external public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?. Add source Translation to translate original source IP to the firewall eth1/2 interface translation. Change destination NAT zone to Trust_L3. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. Change Source NAT zone to Untrust_L3.

128- A traffic log might list an application as "not-applicable" for which two reasons? (Choose two.). The firewall dropped a TCP SYN packet. There was not enough application data after the TCP connection was established. The TCP connection terminated without identifying any application data. The firewall did not install the session.

129- When you configure an active/active high availability pair, which two links can you use? (Choose two). HA2 backup. HSCLC. Console Backup. HA3.

130- What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.). enable operational modes such as normal mode, multi-vsys mode or FIPS-CC mode. change the firewall management IP address. rename a vsys on a multi-vsys firewall. add administrator accounts. configure a device block list.

131- Which three authentication types can be used to authenticate users? (Choose three.). Kerberos single sign-on. GlobalProtect Client. Cloud authentication service. Local database authentication. PingID.

132- Which three statements correctly describe Session 380280? (Choose three.). The application has been identified as web-browsing. The session has ended with the end-reason unknown. The session did not go through SSL decryption processing. The session went through SSL decryption processing. The application was initially identified as "ssl".

133- If a URL is in multiple custom URL categories with different actions, which action will take priority?. Override. Alert. Block. Allow.

134- After swrtchtng to a different WAN connection. Users have reported that vaious websites not load, and timeouts are occurring. The web servers work fine from locations. The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmassion unit (MTU) on an upstream router interface is set to 1400. The engineeer reviews the following CLI outputs for ethemet1/1. Which setting should be modifed on ethemet 1/1 to remedy this problem?. Enable the ignore IPv4 don't fragment (DF) setting. Adjust the TCP maximum segment size (MSS) value. Change the subnet mask from /23 to 124. Lower the interface MTU value below 1500.

135- A network security administrator wants to inspect HTTPS traffc from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?. A web server ceritificate signed by an external Ceftificate Authority. A self-signed certificate generated on the firewall. A web server certificate signed y the organization's PKI. A subordinate Certificate Authority certificate signed by the organization's PKI.

136- An administrator has been tasked with configuring decryption policies. Which decryption best practice should they consider?. Decrypt all traffic that traverses the firewall so that it can be scanned for threats. Create forward proxy decryption rules without Decryption profiles for unsanctioned applications. Place firewalls where administrators can opt to bypass the firewall when needed. Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

137- A network security engineer is going to enable Zone Protection on several security zones-How can the engineer ensure that Zone Protection events appear in the firewall's logs?. No action is needed. Zone Protection events appear in the threat legs by default. Access the CLI in each firewall and enter the command set system setting additional-threat-log on. Select the check box "Log Zone Protection events" In the Content-ID settings of the firewall. Select the check box "Log packet-based attack events" in the Zone Protection profile.

138- An engineer must configure a new SSL decryption deployment. Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?. A Decryption profile must be attached to the Security policy that the traffc matches. A Decryption profile must be attached to the Decryption policy that the traffc matches. There must be a certificate with only the Forward Trust option selected. There mus be a certificate with both the Forward Trust option and Forward Untrust option selected.

139- An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?. Route Inherit Global Setting. IPv6 Source or Destination Address. Destination-Based Service. IPv4 Source Interface.