Would choose D. base on doc from dgonz the order is: Shared pre rules DG prer ules local rules DG post rules Shared post rules default rules Then be aware of order in DG when 2 config matches. in DG the config maintained is the child. On template is the oposite , the config maintained is the father. From the same doc. If you override default rules, their order of precedence runs from the lowest context to the highest: overridden settings at the firewall level take precedence over settings at the device group level, which take precedence over settings at the Shared level.

Shared Pre-Policies Device group hierarchy Pre-Policies Local Firewall Policies Device group hierarchy Post-Policies Shared Post-Policies Default Rules there is no shared defaukt event hough it exist and it can be used as well. This is a document from Palo training ... we have to use same wording as they provide it ( it is an exam so go with whatever they want the answer to be. Even if it's not 100% correct)

Default rules belong to the Shared level and not any particular device group, which leaves us with only option A and C. The following doc states this and also explicitly gives us the order :) Shared pre Group pre Locals Group post Shared post Shared defaults https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies

I think A

I would choose D based on https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies: If you override default rules, their order of precedence runs from the lowest context to the highest: overridden settings at the firewall level take precedence over settings at the device group level, which take precedence over settings at the Shared level. As we have overridden the default ruleset in the device group it will be applied instead of the shared one.

Shared Pre-Rules Device Group Pre-Rules Local Firewall Rules Device Group Post Rule Shared Post-Rules Default Rules The default rules apply only to the Security rulebase, and are predefined on Panorama (at the Shared level) and the firewall (in each vsys). https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies

A. This one isn't as tricky as it looks--device groups don't have default rules.

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies DG post-rules before Shared post rules

yup.. sorry it is D

As per News088

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies

Screenshots indicate that the default rules have been overridden. The accurate answer is D. If you override default rules, their order of precedence runs from the lowest context to the highest: overridden settings at the firewall level take precedence over settings at the device group level, which take precedence over settings at the Shared level.

Based on that A 1. Shared pre-rules 2. Device group pre-rules 3. Local firewall rules 4. Device group post-rules 5. Shared post-rules 6. intrazone-default interzone-default https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies

I got this question in the exam