PCNSE Question #546: Real Exam Question with Answer & Explanation

Question

An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

Options

• AUse the show predefined xpath <value> command and review the output.
• BReview the App Dependency application list from the Commit Status view.
• COpen the security policy rule and review the Depends On application list.
• DReference another application group containing similar applications.

Explanation

When Palo Alto Networks applications have dependencies (e.g., youtube requires ssl and web-browsing), PAN-OS provides two built-in mechanisms to surface them: Option C lets you see the "Depends On" list directly within the security policy rule editor, giving you a pre-commit view of what the selected application requires. Option B surfaces the same dependency information at commit time through the Commit Status view, allowing a final check before the policy goes live - both are documented, UI-driven workflows designed specifically for this purpose.

Option A is wrong because show predefined xpath is a CLI command for inspecting the predefined configuration object hierarchy (like default security profiles), not for reviewing application dependencies in a policy rule. Option D is wrong because referencing an application group only groups applications together for policy reuse - it does not reveal or resolve dependency relationships between applications.

Memory tip: Think "Before and Check" - you Check dependencies inside the rule, and review them at Bcommit time. Both methods involve looking at official "Depends On" data, not workarounds.

No community discussion yet for this question.