Exam PCNSE topic 1 question 150 discussion

Correct: A,B (Per PANOS Help Function) - Each firewall maintains a traffic flag for the rules that have a match. Because the flag is reset when a dataplane reset occurs on a reboot or a restart, it is best practice to monitor this list periodically to determine whether the rule had a match since the last check before you delete or disable it. This mean when the dataplane is reset or there is a reboot the flag will not be set for any security policies therefore they will all be highlighted until a rule is hit and the flag is set.

Correct Answer A and C.

A and B correct

D is definitely part of the answer because the rule usage counter always resets following firewall reboot.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0

Only "A" is definitely correct. The fact is "Rule Usage Hit Counter will not be reset", it is proven from the lab. Then: 1. "A" - must always be correct 2. "B" - since Hit Count NOT be reset, it would not "all" rules are unused. (Maybe some are unused, i.e. no hit count, but it already happened before reboot) 3. "D" - must always be wrong 4. "C" - It depends. As mentioned on "2" above, maybe some rules are unused before reboot, so "some" rules already have ZERO hit count before reboot.

I've just tested in my LAB: Is A&C. If I had the option to paste here the printscreen , I would do it.

FOr people thinking it's C, take a look at the link below. "Notice how the rules looks after selecting "Highlight Unused Rules." You can now see exactly what rules have and have not been used since the last reboot. " https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0

A & B with out question. To all who said answer C...what would happen if a rule is created but never been hit? Of course it would be highlighted so C could never be correct.

A and B. Be careful of the wording. this is a double negative. Cisco uses this trickery also.

Can't be C. If you have a running firewall with a rule that has not been used then it will be highlighted. If we reboot the appliance then - given there was no traffic - all rules will be highlighted. If zero rules would be highlighted then it means every rule was used...

A: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/view-policy-rule-usage C: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0

I agree with A and B but what are the chances that after a reboot, you will check that box before packets hit one or many of the rules?

Answer: AB "Hit Count—The number of times traffic matched the criteria you defined in the policy rule. Persists through reboot, dataplane restarts, and upgrades unless you manually reset or rename the rule." Source: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-policy-rule-usage.html "Notice how the rules looks after selecting "Highlight Unused Rules." You can now see exactly what rules have and have not been used since the last reboot. The red boxes around the rules have been added to show you how the "highlight" feature works." Source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0

The Right answer is AB, the question is so complicated but what they are looking for is to know if you Understand that highlight unused rules will highlight all unused since the last reboot as opposed to hit count which does not change after a reboot. See link below and read the notice below the second picture. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0

Rule usage hit counter will only reset if you manually reset them. Highlight unused rules will highlight all rules if not used since start.