Palo Alto Networks System Engineer – Strata — Question 53

What is the correct behavior when a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from DNS service cloud in the configured lookup time?

Answer options

• A. NGFW discard a response from the DNS server.
• B. NGFW temporarily disable DNS Security function.
• C. NGFW permit a response from the DNS server.
• D. NGFW resend a verdict challenge to DNS service cloud.

Correct answer: C

Explanation

The correct answer is C because if the NGFW cannot retrieve a DNS verdict in the specified time, it allows a response from the DNS server to ensure continuity in network operations. Option A is incorrect as it suggests discarding the response, which would disrupt service. Option B is wrong because the NGFW does not disable DNS Security in this scenario, and option D is not correct since it does not resend challenges but rather permits existing responses.