Explanation
The default class that is assigned to traffic that does not match any QoS classes is class 4. Class 4 is the default class for any session not matched to a QoS policy. QoS policy, like security policy, is processed top to bottom and the first policy match will be applied. If no policy match is found, the traffic is assigned to class 412.
Option A is incorrect because class 1 is not the default class for unmatched traffic. Class 1 is a user-defined class that can be used to assign traffic based on QoS policy criteria. Option B is incorrect because class 2 is not the default class for unmatched traffic. Class 2 is a user-defined class that can be used to assign traffic based on QoS policy criteria. Option C is incorrect because class 3 is not the default class for unmatched traffic. Class 3 is a user-defined class that can be used to assign traffic based on QoS policy criteria3.

Explanation
According to the PCNSE Study Guide , SSL forward proxy is a feature that allows the firewall to decrypt and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client and the server, generating a certificate on the fly for each site.
The best practices for configuring SSL forward proxy are
Use a forward trust certificate that is signed by a certificate authority (CA) that is trusted by the clients.
This certificate is used to sign certificates for sites that have valid certificates from trusted CAs. The clients will not see any certificate errors if they trust the forward trust certificate.
Use a forward untrust certificate that is not signed by a trusted CA. This certificate is used to sign certificates for sites that have invalid or untrusted certificates. The clients will see certificate errors if they do not trust the forward untrust certificate. This helps alert users of potential risks and prevent man-in-the-middle attacks.
Do not store the forward trust or untrust certificates on an HSM (hardware security module). The HSM does not support on-the-fly signing of certificates, which is required for SSL forward proxy.

Explanation
Flags
A?B-Active and learned via BGP
A C-Active and a result of an internal interface (connected) - Destination = network A H-Active and a result of an internal interface (connected) - Destination = Host only A R-Active and learned via RIP A S-Active and static S-Inactive (because this route has a higher metric) and static O1-OSPF external type-1 O2-OSPF external type-2 Oi-OSPF intra-area Oo-OSPF inter-area

Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers

Explanation
From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls... This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls." And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E