An organization wants Prisma Access Browser (PAB) users to authenticate to public cloud services, such as Microsoft 365, using its existing corporate IdP (e.g., Azure AD). Which integration is essential to enable this automated single sign-on (SSO) experience for public cloud applications accessed via PAB?
Direct integration of the browser with Microsoft ' s Conditional Access policies
Deployment of a browser-specific SSO extension
Configuration of individual user authentication tokens within the PAB profile
Cloud Identity Engine integration with the corporate IdP
Single sign-on for PAB users accessing public cloud SaaS applications is centrally brokered through the Cloud Identity Engine, which serves as the identity integration point between the organization ' s corporate IdP — Azure AD/Entra ID in this scenario — and the applications and services users access through PAB, rather than being handled by any browser-native or per-application mechanism. Establishing this Cloud Identity Engine-to-IdP integration is what allows the corporate authentication session and identity attributes to be recognized consistently and passed through automatically as the user navigates to sanctioned SaaS applications like Microsoft 365 via PAB, delivering the seamless SSO experience described in the question, which makes option D the essential, correct integration. There is no PAB feature involving direct integration with Microsoft ' s own Conditional Access policy engine as the SSO enablement mechanism (option A); Conditional Access is a Microsoft Entra-native capability that can complement an SSO deployment but is not itself the integration point that establishes SSO through PAB. A " browser-specific SSO extension " (option B) is not the documented architecture for how PAB delivers SSO to cloud applications — SSO is achieved through the identity broker relationship with Cloud Identity Engine, not through a separate extension component layered on top. Manually configuring individual user authentication tokens within the PAB profile (option C) is neither how SSO is designed to function nor a scalable or supported approach; it would defeat the purpose of automated, centrally managed single sign-on entirely.
When a review of devices discovered by IoT Security reveals network routers appearing multiple times with different IP addresses, which configuration will address the issue by showing only unique devices?
Add the duplicate entries to the ignore list in IoT Security.
Merge individual devices into a single device with multiple interfaces.
Create a custom role to merge devices with the same hostname and operating system.
Delete all duplicate devices, keeping only those discovered using their management IP addresses.
Multi-homed network infrastructure such as routers is a well-known source of apparent device duplication in any passive discovery platform, because IoT Security fingerprints and profiles devices based on observed traffic from each of their interfaces, and a router with several active interfaces will naturally generate distinct MAC/IP pairings that the system initially treats as separate device records. The correct, purpose-built remediation is to merge those individual device entries into a single logical device record that retains multiple interfaces, which preserves the full visibility and behavioral history captured against each interface while presenting one accurate inventory entry to the operator — this is precisely what option B describes and is the documented workflow within IoT Security ' s device inventory management. Adding entries to an ignore list (option A) suppresses visibility rather than resolving the underlying duplication, and would cause the platform to lose monitoring coverage on those interfaces entirely, which is counterproductive for a security tool. There is no custom-role-based merge mechanism in IoT Security (option C); roles govern administrative access, not device deduplication logic. Deleting duplicates and keeping only the management-IP-discovered entry (option D) permanently discards legitimate interface-level telemetry and is not a supported or recommended operation, since it can blind the platform to traffic on the deleted interfaces going forward.
Which Cloud Identity Engine capability will create a Security policy that uses Entra ID attributes as the source identification?
Entra ID Group Attribute
Attribute Group Mapping
Entra ID Cloud Group
Cloud Dynamic User Group
Cloud Dynamic User Groups (CDUGs) are the Cloud Identity Engine capability purpose-built for exactly this use case: rather than relying on a static, manually maintained group whose membership must be updated by hand whenever a user ' s role, department, or other Entra ID attribute changes, a CDUG defines membership criteria based on directory attributes or context — department, title, location, risk score, or other Entra ID fields — and continuously, automatically re-evaluates which users belong to the group as those attributes change. Once created, the resulting group receives an auto-generated distinguished name that Prisma Access recognizes and can reference directly as source identification within a Security policy rule, giving administrators attribute-driven, self-maintaining access control rather than a fixed group membership list. This makes option D the correct capability. " Entra ID Group Attribute " and " Entra ID Cloud Group " (options A and C) are not the names of actual Cloud Identity Engine features; they resemble plausible terminology but do not correspond to a distinct, documented capability distinct from Cloud Dynamic User Groups. " Attribute Group Mapping " (option B) similarly does not exist as a named capability in the Cloud Identity Engine; while group mapping in a general sense is a core CIE function for synchronizing static directory groups, the specific capability that lets a Security policy dynamically use Entra ID attributes as the basis for group/source membership is the Cloud Dynamic User Group, not a generic " attribute group mapping " construct.
How can role-based access control (RBAC) for Prisma Access (Managed by Strata Cloud Manager) be used to grant each member of a security team full administrative access to manage the Security policy in a single tenant while restricting access to other tenants in a multitenant deployment?
Add the team to the Parent Tenant, select the Prisma Access Configuration Scope, and set the role to Security Administrator.
Add the team to the Child Tenant, select All Apps & Services, and set the role to Security Administrator.
Add the team to the Parent Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator.
Add the team to the Child Tenant, select Prisma Access & NGFW Configuration, and set the role to Security Administrator.
Tenant-level isolation in the Strata Cloud Manager multitenant hierarchy is enforced at the point where an administrator account is added, not merely by the role assigned to them — an account added at the Parent Tenant level inherently has, or can be elevated to have, visibility spanning the tenant hierarchy, which directly conflicts with the requirement to restrict access to other tenants. This eliminates options A and C outright, since both place the team at the Parent Tenant. The correct placement is at the specific Child Tenant that the security team is meant to manage, which confines their administrative footprint to that tenant ' s configuration exclusively. Within that Child Tenant, the scope selection matters: choosing " All Apps & Services " (option B) is broader than the stated requirement of managing Security policy, and is not the documented scope selection paired with a Security Administrator role for policy-focused access — the correct, precisely-scoped selection is " Prisma Access & NGFW Configuration, " which grants full administrative rights over policy configuration (Security policy included) without extending into unrelated product areas or other tenants ' resources. Combined with the Security Administrator role, which governs Security policy administrative privileges specifically, this configuration satisfies both halves of the requirement: full policy management capability within the assigned tenant, and hard isolation from every other tenant in the deployment.
What is the purpose of embargo rules in Prisma Access?
Rate-limiting connections originating from specific countries
Allowing traffic only from specific countries
Blocking connections from specific countries
Blocking traffic from Russia, China, and North Korea only
Embargo rules are a purpose-built, pre-defined Security policy rule construct in Prisma Access that lets an organization block inbound connection attempts — most commonly authentication attempts against the GlobalProtect portal, Explicit Proxy, or Remote Networks entry points — that originate from specific countries or regions, using Palo Alto Networks ' geolocation-based source address matching. Their defining behavior is unconditional blocking (a Drop action) of the specified source countries, which makes option C the accurate general description of their purpose; they exist to reduce attack surface against brute-force and credential-stuffing attempts by preventing connection attempts before normal identity-based Security policy would even be evaluated, since embargo rules are enforced as top-of-stack pre-rules using the reserved tag PA_predefined_embargo_rule. Option A is incorrect because embargo rules are a binary block mechanism, not a rate-limiting or throttling control — there is no partial-restriction behavior involved. Option B inverts the logic entirely; embargo rules are not an allow-list mechanism restricting traffic to only a permitted set of countries, they are a deny-list mechanism for specific countries while leaving all other geographies unaffected. Option D is too narrow and factually incorrect as a generalization: embargo rules are configurable for any country or region the organization chooses to specify, and are frequently used for the broader set of countries subject to export or sanctions restrictions, not a fixed three-country list.
Which configuration change will allow an organization using Prisma Access (Managed by Panorama) to minimize the consumption of Strata Logging Service storage due to a high volume of asymmetric traffic flows on its data center?
Configure a log forwarding profile on the service connection to filter out asymmetric traffic.
Disable traffic logging on the service connection.
Disable the log forwarding profile for the service connection.
Reduce the log retention period for Strata Logging Service.
Palo Alto Networks documentation directly addresses this exact scenario: when the majority of traffic flows logged by a service connection are asymmetric — meaning the forward and return legs of a session traverse different paths through the Prisma Access backbone — disabling traffic logging specifically on that service connection is documented as the action that may be required to reduce the resulting consumption of Strata Logging Service storage, since asymmetric flows can generate excessive or fragmented log volume relative to the operational value the logs actually provide. This makes option B the directly documented and correct answer for this specific storage-consumption scenario. Configuring a log forwarding profile filter to selectively exclude asymmetric traffic (option A) is a more surgical-sounding idea, but it is not the documented mechanism Palo Alto Networks provides for this problem; log forwarding profiles control which log types are sent to which external destinations broadly, not a fine-grained filter isolating only asymmetric-flow traffic specifically for exclusion. Disabling the log forwarding profile for the service connection entirely (option C) is a broader and less precise action than the dedicated " disable traffic logging " setting, and is not the specific, named configuration Palo Alto Networks documents for this use case. Reducing the log retention period (option D) addresses how long already-generated logs are kept in storage, not the underlying rate at which new log volume is being generated by asymmetric flows, so it treats the symptom of storage growth rather than its actual cause.
A company has four branch offices between Canada Central and Canada East which use the same IPSec termination node and have QoS configured with customized bandwidth per site. An engineer wants to onboard a new branch office on the same IPSec termination node. What is the QoS behavior for the new branch office?
Automatically distributed to 25% for each site
Unallocated until manually assigned
Automatically distributed to 20% for each site
Cannot be added to existing QoS configuration
Once an administrator has moved away from Prisma Access ' s default, automatic bandwidth-sharing behavior and explicitly customized bandwidth allocation per site on a shared IPSec termination node, the platform respects that deliberate, manual configuration rather than silently recalculating or redistributing percentages whenever a new site is added to the same node. Onboarding a fifth branch office onto a termination node where the existing four sites already have customized, fixed bandwidth values does not trigger an automatic rebalancing to a new even split; instead, the new site simply has no bandwidth allocation defined for it and will remain unallocated, effectively receiving no guaranteed or prioritized QoS treatment, until the engineer explicitly assigns it a bandwidth value as part of onboarding. This makes option B the accurate description of default platform behavior. Options A and C both describe an automatic, evenly-redistributed percentage outcome (25% and 20% respectively, which would correspond to five equal shares or four equal shares) that does not reflect how customized QoS interacts with new site onboarding — automatic even redistribution is the behavior only when no manual customization has been introduced in the first place, and once customization exists, the platform does not silently override or reflow it. Option D is incorrect because new branch offices absolutely can be added to an IPSec termination node with existing customized QoS; the addition itself is fully supported, it simply requires the administrator to manually define that site ' s bandwidth.
How can a network security team be granted full administrative access to a tenant ' s configuration while restricting access to other tenants by using role-based access control (RBAC) for Panorama Managed Prisma Access in a multitenant environment?
Create an Access Domain and restrict access to only the Device Groups and Templates for the Target Tenant.
Create a custom role enabling all privileges within the specific tenant ' s scope and assign it to the security team ' s user accounts.
Create a custom role with Device Group and Template privileges and assign it to the security team ' s user accounts.
Set the administrative accounts for the security team to the " Superuser " role.
Panorama ' s multitenancy implementation for Prisma Access relies on Access Domains as the primary boundary mechanism: when a tenant is created, Panorama automatically generates the device groups, templates, and template stack associated with that tenant and binds them to a dedicated access domain. Restricting an administrator to that access domain confines their visibility and configuration rights strictly to the objects belonging to that tenant, which is exactly the outcome the question requires — full access within the tenant, no visibility into any other tenant ' s device groups or templates. This makes option A the structurally correct answer, because the access domain is the object that actually enforces the tenant boundary; a custom role alone, without an access domain restriction, defines what privileges an administrator has but not which tenant ' s objects those privileges apply to. Options B and C describe custom administrative roles, which are a necessary complement to access domains for fine-tuning specific privilege sets, but neither role definition by itself creates the tenant isolation the scenario demands — a role with " all privileges " or with device-group/template privileges could still be applied across every tenant ' s device groups unless paired with an access domain restriction. Assigning the Superuser role (option D) is explicitly the wrong direction: Superuser grants unrestricted access across the entire Panorama instance and all tenants, which directly violates the requirement to restrict access to other tenants.
Which two actions can a company with Prisma Access deployed take to use the Egress IP API to automate policy rule updates when the IP addresses used by Prisma Access change? (Choose two.)
Configure a webhook to receive notifications of IP address changes.
Copy the Egress IP API Key in the service infrastructure settings.
Enable the Egress IP API endpoint in Prisma Access.
Download a client certificate to authenticate to the Egress IP API.
Prisma Access egress and public IP addresses can change as a result of autoscaling or infrastructure upgrades, so any allow-list dependent on those addresses (SaaS tenant restrictions, partner firewalls, third-party services) needs a reliable way to stay current. Palo Alto Networks addresses this with two complementary mechanisms. First, an Egress IP Notification URL — the webhook referenced in option A — can be configured under Infrastructure Settings so that Prisma Access sends an HTTP POST a few seconds before a new IP address becomes active, giving downstream automation advance warning to update firewall or SaaS allow-lists before the change takes effect. Second, retrieving the actual address list requires authenticating to the Egress/Public IP retrieval API using an API key that is generated and copied from the service infrastructure settings, as described in option B; this key is passed in the request header when calling the retrieval endpoint. There is no separate " enable the Egress IP API endpoint " toggle, since the retrieval API is available by default once a key is generated — making option C incorrect. Authentication to this API is strictly key-based, not certificate-based, so downloading a client certificate (option D) is not a supported or required step. Together, the webhook and API key form the complete automation loop: notify, then retrieve and apply.
Which two configurations must be enabled to allow App Acceleration for SaaS applications? (Choose two.)
Acceleration agent for the client machines
QoS for user traffic
Trusted Root CA for the CA certificate
Forward Trust Certificate for the CA certificate
App Acceleration works by having Prisma Access decrypt, optimize, and re-encrypt SaaS application traffic across its backbone to reduce round-trip latency and improve throughput to well-known, high-volume SaaS destinations, and that optimization is fundamentally dependent on SSL Forward Proxy decryption already being functional and trusted end-to-end. Two certificate-related prerequisites make this possible: a Forward Trust Certificate configured for SSL decryption, which Prisma Access presents to the client in place of the SaaS provider ' s original certificate when it performs the man-in-the-middle decryption necessary to inspect and accelerate the session, and that certificate ' s issuing CA must be distributed to and trusted by client endpoints as a Trusted Root CA, so that browsers and applications do not throw certificate warnings or reject the substituted certificate. Both of these are explicit, documented prerequisites for App Acceleration to function correctly, which makes options C and D the correct pair. There is no dedicated " acceleration agent " software component that must be installed on client machines (option A); App Acceleration operates transparently at the Prisma Access infrastructure level for tunneled or proxied users, not through an endpoint agent add-on. QoS (option B) is a separate traffic-shaping capability used to prioritize bandwidth for specific application classes; it is not a prerequisite for App Acceleration to be enabled and is functionally unrelated to the decryption trust chain that acceleration depends on.
When using the traffic replication feature in Prisma Access, where is the mirrored traffic directed for analysis?
Specified internal security appliance
Dedicated cloud storage location
Panorama
Strata Cloud Manager (SCM)
Prisma Access Traffic Replication is built on Google Cloud Packet Mirroring, deliberately architected to avoid inserting a physical or virtual appliance into the inline security processing path so that forensic capture has zero performance impact on regular traffic inspection. When an administrator enables Traffic Replication for mobile users, remote networks, or both, Prisma Access provisions dedicated cloud storage buckets in each enabled compute location and continuously writes encrypted PCAP files containing a replica of decrypted traffic traversing that location. Administrators retrieve these files from their own designated GCP service account, which is granted read-only access to the bucket, and decrypt them locally using a private key that only the customer holds — a design that preserves confidentiality even from Palo Alto Networks. This directly rules out option A: there is no requirement, and no supported workflow, to stream mirrored traffic to a customer-managed internal appliance in real time; the architecture is store-and-retrieve, not a live tap. Panorama and Strata Cloud Manager (options C and D) are management and policy planes, not traffic-capture destinations — they configure Traffic Replication settings but never receive or store the mirrored packets themselves. The dedicated cloud storage bucket model is what allows organizations to reconstruct full session flows for breach investigation and post-mortem analysis in SASE architectures where traditional span/tap infrastructure no longer exists.
After configuring domain-based split tunnel for zoom.us, how is expected behavior on the client machine confirmed?
Verify from the routing table.
Enable dump level logs on Global Protect Application.
Verify zoom.us is resolved by the tunnel assigned DNS server.
Ping zoom.us from the CLI.
Domain-based split tunneling behaves fundamentally differently from traditional access-route-based split tunneling: where access-route tunneling operates purely through entries in the local operating system routing table, domain-based split tunneling is implemented through a filter driver on Windows and a network extension on macOS that intercepts and redirects connections dynamically as domains are resolved and matched, rather than by inserting static host routes the administrator or user can simply read from a routing table. Because the enforcement mechanism itself lives inside this filter driver/extension rather than in visible routing entries, the documented, reliable way to confirm the configuration has actually been pushed correctly and is being applied as expected is to collect detailed, dump-level GlobalProtect application logs, which expose the filter driver ' s internal decision-making for the specified domain — this is precisely option B, and it matches Palo Alto Networks ' own published troubleshooting guidance for this feature. Checking the routing table (option A) is the correct verification method for route-based (access-route) split tunneling, but it is explicitly documented as not reflective of domain-based split tunnel behavior, since no corresponding static route is guaranteed to appear there. Verifying DNS resolution alone (option C) confirms name resolution occurred, but not that the filter driver actually applied the correct include/exclude action to the resulting session. Pinging the domain (option D) is unreliable because split-tunneling rules apply to TCP/UDP traffic and explicitly do not govern ICMP, so a ping result does not validate split-tunnel enforcement at all.
A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to-business (B2B) partners to their data centers. The solution must meet these requirements: The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations. The branch locations must have internet filtering and data center connectivity. The B2B partner connections must only have access to specific data center internally developed applications running on non-standard ports. The security team must have access to manage the mobile user and access to branch locations. The network team must have access to manage only the partner access. How can the engineer configure mobile users and branch locations to meet the requirements?
Use GlobalProtect and Remote Networks to filter internet traffic and provide access to data center resources using service connections.
Use Explicit Proxy to filter internet traffic and provide access to data center resources using service connections.
Use GlobalProtect to filter internet traffic and provide access to data center resources using service connections.
Use Explicit Proxy and Remote Networks to filter internet traffic and provide access to data center resources using service connections.
GlobalProtect is the correct mobile-user connection method here because the requirement explicitly calls for remote site connectivity from mobile users to the branch locations, in addition to internet filtering and data center access — a full-tunnel capability that Explicit Proxy, which is scoped to web/proxy-aware traffic only, cannot provide. Remote Networks is the purpose-built onboarding method for the branch locations, tunneling their traffic into Prisma Access over IPSec for consistent internet filtering and, through the shared backbone, reachability to data center resources. Service connections are the piece that stitches both populations to the data center: they terminate at the customer ' s HQ/data center and, once established, become reachable from both the GlobalProtect mobile user pool and the Remote Networks locations across the Prisma Access backbone, satisfying the data center connectivity requirement for both user types without requiring a dedicated tunnel per site. Option B and D are eliminated because Explicit Proxy cannot deliver full network-layer access to internal branch or data center resources; it is designed for outbound web traffic redirection via PAC file or forwarding profile, not IPSec-based site-to-site or full-tunnel remote access. Option C omits Remote Networks entirely, which would leave the branch offices unconnected. GlobalProtect plus Remote Networks plus service connections is the standard, minimal-footprint design pattern for this exact hybrid mobile-user/branch/data-center topology.
Which two Prisma Access Browser (PAB) configurations will provide a contractor SSH access to an internal system? (Choose two.)
Configure Internal Application entries, Configure Access & Data Control policy
Enable Remote Connections
Configure Remote Connection Application entries, Configure Access & Data Control policy
Enable Internal Connections
SSH is fundamentally different from a standard HTTP/HTTPS-based internal web application, since it is a non-web, terminal-based protocol, and PAB accommodates protocols like SSH and RDP through a distinct capability generally referred to as Remote Connections rather than the standard internal web application publishing workflow. Enabling Remote Connections is the prerequisite platform capability that allows PAB to broker non-web protocol sessions such as SSH at all, making option B a necessary first configuration step. Once that capability is enabled, the administrator must define the actual target system as a Remote Connection Application entry — specifying the internal host, port, and protocol (SSH in this case) the contractor needs to reach — and then build an Access & Data Control policy that authorizes the specific contractor or contractor group to reach that defined Remote Connection application entry, which is exactly what option C describes and is the configuration pairing that actually grants and governs the access. Option A describes " Internal Application entries " rather than " Remote Connection Application entries " — internal (web) application entries are the construct used for standard HTTP/HTTPS internal application publishing, not SSH, so this pairing misapplies the wrong application object type to a non-web protocol use case. Option D references " Internal Connections " as a toggle, which is not the correctly named capability for enabling non-web protocol brokering in PAB; the documented feature and terminology for SSH/RDP-style access is Remote Connections, not " Internal Connections. "
How can an engineer verify that only the intended changes will be applied when modifying Prisma Access policy configuration in Strata Cloud Manager (SCM)?
Review the SCM portal for blue circular indicators next to each configuration menu item and ensure only the intended areas of configuration have this indicator.
Compare the candidate configuration and the most recent version under " Config Version Snapshots. "
Select the most recent job under Operations > Push Status to view the pending changes that would apply to Prisma Access.
Open the push dialogue in SCM to preview all changes which would be pushed to Prisma Access.
Strata Cloud Manager ' s Config Version Snapshots screen is purpose-built for this exact validation task: it allows an administrator to select the " Candidate " entry and compare the currently pending, uncommitted configuration directly against a previously pushed version, surfacing exactly which objects, rules, and settings have changed before anything is deployed. This gives a precise, itemized diff rather than a general status indicator, which is why it is the correct answer over the distractors. The blue circular indicators described in option A are scope indicators that show where a configuration element is inherited from or whether it is locally defined — useful for understanding configuration hierarchy, but not a change-verification mechanism, and they do not surface a diff of pending edits. Push Status (option C) is a historical and in-progress operations log; it reports on push jobs that have already been submitted, including their result and target devices, but it does not offer a pre-push preview of what is about to change. The push dialogue itself (option D) primarily lets an administrator select admin scope, folders, and services to include in a push; while some validation occurs at push time, it is not designed as a deliberate side-by-side comparison tool the way Config Version Snapshots is. For rigorous change control, comparing the candidate configuration against the last known-good snapshot before pushing is the documented method.
An employee is traveling to a country where their employer has not deployed a Prisma Access gateway. Which two mobile user gateways will the VPN client connect to automatically? (Choose two.)
Backup
Global fallback
Regional fallback
Local zone
Prisma Access ' s automatic gateway selection logic follows a defined fallback hierarchy specifically designed to keep mobile users connected even when they travel to a country without an onboarded, in-country Prisma Access location. If a user cannot connect to an in-country location, the GlobalProtect app first attempts a regional fallback location — a nearby, same-theater location the organization has onboarded (for example, users elsewhere in Asia, Australia, and Japan falling back to a regional hub such as Hong Kong, Singapore, or Japan Central) — which keeps latency reasonable by staying within the same broad geography. If no suitable regional location is available or reachable, the client falls further back to one of a small, fixed set of global fallback locations (including Hong Kong, Netherlands Central, and US Northwest) that are specifically designated to accept client connections from anywhere in the world, guaranteeing a connection path of last resort regardless of where the traveling user is located. This two-tiered regional-then-global fallback behavior is exactly what makes options B and C the correct pair. " Backup " (option A) is not the term used for this automatic gateway-selection fallback behavior in GlobalProtect ' s Prisma Access location logic. " Local zone " (option D) does not describe a fallback gateway category at all — it is not part of the documented regional/global fallback location terminology and does not apply to a traveling user with no in-country location available.
Strata Logging Service is configured to forward logs to an external syslog server; however, a month later, there is a disruption on the syslog server. Which action will send the missing logs to the external syslog server?
Configure a replay profile with the affected time range and associate it with the affected syslog server profile.
Delete the affected syslog server profile and create a new one.
Export the logs from Strata Logging Service, and then manually import them to the syslog server.
Configure a log filter under the syslog server profile with the affected time range.
Strata Logging Service retains logs independently of whether or not an external forwarding destination was reachable at the time they were generated, so no log data is actually lost during a syslog server outage — it simply was never forwarded during the disruption window. The mechanism designed to reconcile this gap is a replay profile: an administrator specifies the affected time range and associates that replay configuration with the relevant syslog server profile, and Strata Logging Service then resends every log that falls within that window to the external destination, effectively backfilling the outage period without requiring any manual export or reconstruction of the log set. This makes option A the correct, purpose-built remediation. Deleting and recreating the syslog server profile (option B) does nothing to recover the logs generated during the outage; it only affects the configuration used for logs going forward, and any pending backlog would still need to be replayed by other means. Manually exporting and importing logs (option C) is operationally burdensome, error-prone at scale, and unnecessary given that a native replay capability exists specifically to automate this exact recovery scenario. A log filter (option D) narrows which log types or attributes are forwarded going forward — it is a scoping mechanism, not a retransmission mechanism, and configuring one does not cause any historical, unforwarded logs to be resent.
TESTED 14 Jul 2026
