Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

Paloalto Networks NGFW-Engineer Dumps

Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers

Question 1

Which CLI command is used to configure the management interface as a DHCP client?

Options:

A.

set network dhcp interface management

B.

set network dhcp type management-interface

C.

set deviceconfig system type dhcp-client

D.

set deviceconfig management type dhcp-client

Question 2

A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required.

What are two fundamental properties of the external zones needed for this configuration? (Choose two.)

Options:

A.

They must be linked to the same virtual router as the ingress interface.

B.

They represent their parent VSYS without being tied to a physical or logical interface.

C.

They are a security construct belonging to a single VSYS.

D.

They are automatically created when inter-VSYS routing is enabled.

Question 3

An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability and avoiding any service disruption from a potentially problematic content update.

To align with Palo Alto Networks best practices for such environments, which threshold should the administrator set for content updates?

Options:

A.

0 hours

B.

12 hours

C.

24 hours

D.

48 hours

Question 4

When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?

Options:

A.

Syslog, Panorama, SD-WAN

B.

Panorama/Cloud logging, email, Syslog

C.

Email, Syslog, NetFlow

D.

HTTP, RADIUS, SNMP

Question 5

How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?

Options:

A.

The route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected.

B.

It will attempt to load balance the traffic across all routes.

C.

It compares the administrative distance and chooses the one with the highest value.

D.

It compares the administrative distance and chooses the one with the lowest value.

Question 6

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

Options:

A.

X-Forwarded-For (XFF) headers

B.

Server monitoring

C.

GlobalProtect

D.

Authentication Portal

Question 7

A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment. The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit.

Which two Security policy requirements must be included in the implementation plan? (Choose two answers)

Options:

A.

The default interzone-default security policy is sufficient to allow the tunnel negotiation traffic between the firewall and the remote peer.

B.

A pair of policies is required to control the flow of data traffic into and out of the security zone assigned to the tunnel interface.

C.

A policy must explicitly permit only the IKE application between the external-facing zone and local zone.

D.

A policy must explicitly permit the IPSec container application between the external-facing zone and local zone.

Question 8

What is the primary use case for the CN-Series NGFW?

Options:

A.

Protecting mobile users and remote branch offices (east-west)

B.

Providing security for physical data center perimeters (north-south)

C.

Securing traffic in and out of a public cloud VPC or VNet (north-south)

D.

Enforcing Security policies between pods in a Kubernetes environment (east-west)

Question 9

An organization needs a GlobalProtect solution that meets two key requirements:

• IT administrators must be able to run scripts and push updates to endpoints before a user logs in.

• Users must authenticate with their cloud identity provider, which is protected by multi-factor authentication (MFA).

Which GlobalProtect authentication configuration should be used to meet both requirements?

Options:

A.

Cookie-based authentication for both pre-logon and user logon.

B.

SAML authentication for pre-logon and certificate-based authentication for user logon.

C.

Single authentication profile using Kerberos to handle both pre-logon and user logon.

D.

Certificate-based authentication for pre-logon and SAML authentication for user logon.

Question 10

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

Options:

A.

They must be configured with auto-negotiate settings regardless of the port type.

B.

They must all be either copper or fiber optic, however they can be different.

C.

They must have the same link speed and transmission mode.

D.

They must be the same media type.

Question 11

A network administrator is hardening a new Palo Alto Networks firewall and wants to ensure that all firewall-generated management traffic, such as calls to Strata Logging Service, uses a dedicated in-band data port instead of the out-of-band management port.

Which configuration setting should the administrator modify to reroute this type of traffic?

Options:

A.

Service route

B.

Interface Management profile

C.

Virtual router

D.

Static route

Question 12

An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.

What is the effect of configuring this split DNS policy?

Options:

A.

It provides selective DNS resolution, with specified domains resolved through the tunnel, optimizing performance for other lookups.

B.

It blocks access to all domains that are not explicitly listed in the split tunnel configuration.

C.

It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic.

D.

It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection.

Question 13

After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a 30-45 second delay before traffic started flowing through a Link Aggregation Control Protocol (LACP) aggregate interface on the newly active firewall.

What should have been configured to support LACP pre-negotiation to minimize LACP convergence delay?

Options:

A.

Enable LACP fast failover.

B.

Set LACP mode to passive.

C.

Enable in HA passive state.

D.

Set HA link monitoring to aggressive.

Question 14

An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provide both resilience across multiple Availability Zones and the ability to scale horizontally.

Which combination of AWS services and Palo Alto Networks components is required for this use case?

Options:

A.

AWS Lambda function that monitors the firewall's health and re-routes traffic using the AWS API

B.

PAN-OS active/active high availability (HA) pair with an AWS Transit Gateway

C.

Amazon EC2 Auto Scaling group with VM-Series firewalls and an Amazon Gateway Load Balancer

D.

Single VM-Series firewall with an Elastic IP address that can be re-associated upon failure

Question 15

An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console, without using the Context Switch feature.

Which set of tasks can the administrator fully execute from the Panorama UI? (Choose one answer)

Options:

A.

Download and install a new content update. View current firewall session details. Initiate a device reboot.

B.

Create a new zone. Configure a new virtual router. View the local ACC on the firewall.

C.

Edit a post-rule. Create a new certificate profile. Configure the firewall's hostname.

D.

Modify the IP address of a Layer 3 interface. Configure a new local administrator account. Edit a pre-rule.

Question 16

When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?

Options:

A.

Service graph

B.

Ansible automation modules

C.

Panorama role-based access control (RBAC)

D.

CN-Series firewalls

Question 17

An engineer is required to configure a site-to-site VPN that will automatically fail over to a backup link if the primary tunnel goes down. The engineer also needs to exchange routes dynamically between the sites.

Which two features necessitate assigning an IP address to the tunnel interface? (Choose two.)

Options:

A.

Tunnel monitoring

B.

Proxy ID configuration

C.

IKEv2 protocol support

D.

Dynamic routing

Question 18

A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific list of local and remote IP address subnets that are permitted through the tunnel. The initial tunnel configuration on the PAN-OS firewall fails during the IKE Phase 2 exchange.

Which configuration step is essential to ensure compatibility with the policy-based Check Point gateway?

Options:

A.

Define the local and remote subnets provided by the partner in the Proxy ID settings.

B.

Create individual Security policies for each pair of local and remote subnets.

C.

Assign a specific IP address to the tunnel interface to match the Check Point gateway.

D.

Enable Dead Peer Detection (DPD) in the IKE Gateway configuration.

Question 19

A cloud security team wants to extend its existing Palo Alto Networks Security policies into the organization's Kubernetes environments. The team requires an NGFW solution that can be deployed natively as a container and managed by Panorama.

Which firewall form factor meets these requirements?

Options:

A.

Cloud NGFW

B.

PA-5400 Series

C.

VM-Series

D.

CN-Series

Question 20

An organization must secure its AWS and Azure environments using a managed Palo Alto Networks solution, and all policies must be synchronized from an existing Panorama deployment. The organization wants to insert security with the least possible impact on its application teams and use existing hub-and-spoke network designs.

• The AWS environment uses a centralized AWS Transit Gateway (TGW) architecture.

• The Azure environment uses a Virtual WAN (vWAN) hub.

Which two actions are the most appropriate in this use case? (Choose two.)

Options:

A.

Deploy Cloud NGFW endpoints in every application virtual private cloud (VPC), ignoring the TGW.

B.

Deploy Cloud NGFW into the vWAN hub as a trusted security partner, and update routing policies to secure traffic.

C.

Deploy individual VM-Series firewalls in each spoke virtual network (VNet) and manage them as a device group in Panorama.

D.

Deploy Cloud NGFW endpoints into a security virtual private cloud (VPC), and adjust the TGW route tables to inspect traffic flowing though the hub.

Question 21

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

Options:

A.

Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.

B.

Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit.

C.

Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).

D.

Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Question 22

When an engineer creates a new VSYS on a supported firewall platform, which resource can be explicitly limited in the VSYS configuration to control its capacity?

Options:

A.

Dedicated data plane memory

B.

Maximum number of admin accounts

C.

Maximum number of log entries

D.

Maximum number of NAT rules

Question 23

A network engineer has configured a PAN-OS firewall for client certificate authentication. The firewall has the corporate root CA certificate loaded. Client certificates are issued by an intermediate certificate authority (CA), which is signed by the root CA. However, when users attempt to connect, the authentication fails, and system logs indicate an "invalid certificate" error.

What is the most likely cause of this authentication failure?

Options:

A.

Intermediate CA certificate has not been imported onto the firewall and added to the trust chain.

B.

Client certificates were generated with an insecure key length (e.g., 1024-bit RSA).

C.

Firewall clock is out of sync with the CA server by more than five minutes.

D.

Online Certificate Status Protocol (OCSP) responder is unreachable, and no certificate revocation list (CRL) fallback is configured.

Question 24

A government agency needs to ensure that all user web access is explicitly mediated and authenticated.

The agency has the following requirements:

• Client browsers must be manually configured to send traffic to the firewall's IP address and a specific port.

• The firewall must support seamless single sign-on (SSO) with the users' existing Active Directory credentials.

Which feature set should the engineer configure to meet the agency's requirements?

Options:

A.

Web proxy in explicit mode with an Authentication policy by using Kerberos

B.

Decryption policy that redirects users to a SAML identity provider for authentication

C.

Web proxy in transparent mode with an Authentication policy by using multi-factor authentication (MFA)

D.

User-ID agent integration with Authentication Portal for authentication

Question 25

Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)

Options:

A.

Select IKE v2, enable the Advanced Options PQ PPK, then set a 64+ character string for the post-quantum pre shared key.

B.

Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate.

C.

Select IKE v2 Preferred, enable the Advanced Options PQ KEM, then add one or more “Rounds.”

D.

Select IKE v2, enable the Advanced Options PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one

or more “Rounds.”

Question 26

Which PAN-OS method of mapping users to IP addresses is the most reliable?

Options:

A.

Port mapping

B.

GlobalProtect

C.

Syslog

D.

Server monitoring

Question 27

A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.

Which configuration in CIE supports this requirement with highest operational efficiency?

Options:

A.

Configure a CIE tenant, connect Okta, and create segments.

B.

Configure the firewalls for each company to query their respective Okta IdPs directly, bypassing CIE for redistribution.

C.

Push all identity data to Panorama and use Panorama's group mapping include/exclude lists to control what each firewall learns.

D.

Create a master CIE tenant for the holding company and peer it with two subordinate tenants, one for each acquired business.

Question 28

An administrator is troubleshooting a newly configured site-to-site VPN between a PAN-OS firewall and a third-party policy-based VPN gateway. The tunnel allows traffic between the first pair of configured subnets, but traffic to a newly added remote subnet is failing. The administrator has confirmed that routing and Security policies are correct.

What is the most likely cause of this issue?

Options:

A.

A static route for the new subnet pointing to the tunnel interface is missing.

B.

The Security policy for the new subnet must be placed above the existing VPN policy.

C.

The new local and remote subnets are missing from the Proxy ID configuration.

D.

The tunnel's maximum transmission unit (MTU) size must be increased to accommodate the new traffic.

Question 29

By default, which type of traffic is configured by service route configuration to use the management interface?

Options:

A.

Security zone

B.

IPSec tunnel

C.

Virtual system (VSYS)

D.

Autonomous Digital Experience Manager (ADEM)

Question 30

When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?

Options:

A.

Deploying Ansible scripts for zone-specific scaling

B.

Implementing Terraform templates for redundancy within one availability zone

C.

Using load balancer and health probes

D.

Configuring active/active HA

Question 31

An organization's Security policy states that for all outbound web traffic, the TCP session to the external web server must be established by the firewall, not the user's workstation. This requires configuring user web browsers to point to the firewall. Authentication is also required.

Which solution on a PA-Series firewall meets these specific needs?

Options:

A.

Transparent proxy

B.

Explicit proxy

C.

GlobalProtect with User-ID

D.

Decryption policy with Authentication Portal

Question 32

Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?

Options:

A.

CPU

B.

Sessions limit

C.

Memory

D.

Security profile limit

Question 33

Which two services are configured by applying an SSL/TLS service profile? (Choose two.)

Options:

A.

Global Protect portal

B.

Log forwarding to Strata Logging Service

C.

Forward-Trust certificate

D.

Syslog server monitoring

Question 34

An administrator configures a GlobalProtect gateway with split tunneling for network traffic based on an access route. Users report that public web browsing works, but they cannot resolve the names of internal servers. The administrator determines that all DNS queries are being sent to the public DNS servers configured on the users' endpoints.

Which GlobalProtect portal setting should be configured to resolve this issue?

Options:

A.

Split tunneling for DNS and specify the internal corporate domains in the "Domain" list

B.

DNS Proxy feature on the firewall to point clients to the gateway IP for DNS

C.

"DNS Forwarding" option on the gateway's tunnel interface

D.

NAT rule to allow DNS traffic from the GlobalProtect clients to the internal DNS servers

Question 35

When deploying a pair of Palo Alto Networks firewalls in an active/active high availability (HA) cluster what is the dedicated role of the HA3 link?

Options:

A.

Control plane synchronization for heartbeats and state information

B.

Packet forwarding for session setup and asymmetric traffic

C.

Management plane synchronization for configurations and policies

D.

Data plane synchronization for session tables and forwarding tables

Question 36

What must be configured before a firewall administrator can define policy rules based on users and groups?

Options:

A.

User Mapping profile

B.

Authentication profile

C.

Group mapping settings

D.

LDAP Server profile

Question 37

An engineer is creating an automation workflow. The first step is to deploy a new VM-Series firewall into a VMware vSphere environment, including its virtual machine (VM) configuration and network interfaces. The second step is to connect to the firewall and configure a complex set of Security policies and objects. The team uses both Terraform and Ansible.

For which part of this workflow would Terraform typically be used?

Options:

A.

Pushing threat intelligence updates to the new firewall

B.

Deploying the VM and associated network interfaces

C.

Storing the credentials needed to access the vSphere environment

D.

Applying the detailed Security policies and objects

Page: 1 / 13
Total 125 questions