Palo Alto Networks PSE-SWFW-Pro-24 Exam - Topic 2 Question 22 Discussion

Actual exam question for Palo Alto Networks's PSE-SWFW-Pro-24 exam

Question #: 22
Topic #: 2

Which three statements describe the functionality of Dynamic Address Groups and tags? (Choose three.)

AStatic tags are part of the configuration on the firewall, while dynamic tags are part of the runtime configuration.

BDynamic Address Groups that are referenced in Security policies must be committed on the firewall.

CTo dynamically register tags, use either the XML API or the VM Monitoring agent on the firewall or on the User-ID agent.

DIP-Tag registrations to Dynamic Address Groups must be committed on the firewall after each change.

EDynamic Address Groups use tags as filtering criteria to determine their members, and filters do not use logical operators.

Show Suggested Answer

Suggested Answer: A, B, C

Dynamic Address Groups (DAGs) use tags to dynamically populate their membership.

Why A, B, and C are correct:

A . Static tags are part of the configuration on the firewall, while dynamic tags are part of the runtime configuration: Static tags are configured directly on objects. Dynamic tags are applied based on runtime conditions (e.g., by the VM Monitoring agent or User-ID agent).

B . Dynamic Address Groups that are referenced in Security policies must be committed on the firewall: Like any configuration change that affects security policy, changes to DAGs (including tag associations) must be committed to take effect.

C . To dynamically register tags, use either the XML API or the VM Monitoring agent on the firewall or on the User-ID agent: These are the mechanisms for dynamically applying tags based on events or conditions.

Why D and E are incorrect:

D . IP-Tag registrations to Dynamic Address Groups must be committed on the firewall after each change: While changes to the configuration of a DAG (like adding a new tag filter) require a commit, the registration of IP addresses with tags does not. The DAG membership updates dynamically as tags are applied and removed.

E . Dynamic Address Groups use tags as filtering criteria to determine their members, and filters do not use logical operators: DAG filters do support logical operators (AND, OR) to create more complex membership criteria.

Palo Alto Networks Reference:

PAN-OS Administrator's Guide: The section on Dynamic Address Groups provides details on how they work, including the use of tags as filters and the mechanisms for dynamic tag registration.

VM Monitoring and User-ID Agent Documentation: These documents explain how these components can be used to dynamically apply tags.

The documentation confirms the correct statements regarding static vs. dynamic tags, the need to commit DAG changes, and the methods for dynamic tag registration. It also clarifies that DAG filters do use logical operators and that IP-tag registrations themselves don't require commits.

by Eric at Mar 05, 2026, 03:32 AM

Limited Time Offer

25%

Off

Get Premium PSE-SWFW-Pro-24 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!