Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers
Which CLI command is used to configure the management interface as a DHCP client?
A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required.
What are two fundamental properties of the external zones needed for this configuration? (Choose two.)
An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability and avoiding any service disruption from a potentially problematic content update.
To align with Palo Alto Networks best practices for such environments, which threshold should the administrator set for content updates?
When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?
How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?
When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?
A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment. The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit.
Which two Security policy requirements must be included in the implementation plan? (Choose two answers)
What is the primary use case for the CN-Series NGFW?
An organization needs a GlobalProtect solution that meets two key requirements:
• IT administrators must be able to run scripts and push updates to endpoints before a user logs in.
• Users must authenticate with their cloud identity provider, which is protected by multi-factor authentication (MFA).
Which GlobalProtect authentication configuration should be used to meet both requirements?
What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?
A network administrator is hardening a new Palo Alto Networks firewall and wants to ensure that all firewall-generated management traffic, such as calls to Strata Logging Service, uses a dedicated in-band data port instead of the out-of-band management port.
Which configuration setting should the administrator modify to reroute this type of traffic?
An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.
What is the effect of configuring this split DNS policy?
After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a 30-45 second delay before traffic started flowing through a Link Aggregation Control Protocol (LACP) aggregate interface on the newly active firewall.
What should have been configured to support LACP pre-negotiation to minimize LACP convergence delay?
An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provide both resilience across multiple Availability Zones and the ability to scale horizontally.
Which combination of AWS services and Palo Alto Networks components is required for this use case?
An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console, without using the Context Switch feature.
Which set of tasks can the administrator fully execute from the Panorama UI? (Choose one answer)
When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?
An engineer is required to configure a site-to-site VPN that will automatically fail over to a backup link if the primary tunnel goes down. The engineer also needs to exchange routes dynamically between the sites.
Which two features necessitate assigning an IP address to the tunnel interface? (Choose two.)
A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific list of local and remote IP address subnets that are permitted through the tunnel. The initial tunnel configuration on the PAN-OS firewall fails during the IKE Phase 2 exchange.
Which configuration step is essential to ensure compatibility with the policy-based Check Point gateway?
A cloud security team wants to extend its existing Palo Alto Networks Security policies into the organization's Kubernetes environments. The team requires an NGFW solution that can be deployed natively as a container and managed by Panorama.
Which firewall form factor meets these requirements?
An organization must secure its AWS and Azure environments using a managed Palo Alto Networks solution, and all policies must be synchronized from an existing Panorama deployment. The organization wants to insert security with the least possible impact on its application teams and use existing hub-and-spoke network designs.
• The AWS environment uses a centralized AWS Transit Gateway (TGW) architecture.
• The Azure environment uses a Virtual WAN (vWAN) hub.
Which two actions are the most appropriate in this use case? (Choose two.)
A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.
Which approach achieves this segmentation of identity data?
When an engineer creates a new VSYS on a supported firewall platform, which resource can be explicitly limited in the VSYS configuration to control its capacity?
A network engineer has configured a PAN-OS firewall for client certificate authentication. The firewall has the corporate root CA certificate loaded. Client certificates are issued by an intermediate certificate authority (CA), which is signed by the root CA. However, when users attempt to connect, the authentication fails, and system logs indicate an "invalid certificate" error.
What is the most likely cause of this authentication failure?
A government agency needs to ensure that all user web access is explicitly mediated and authenticated.
The agency has the following requirements:
• Client browsers must be manually configured to send traffic to the firewall's IP address and a specific port.
• The firewall must support seamless single sign-on (SSO) with the users' existing Active Directory credentials.
Which feature set should the engineer configure to meet the agency's requirements?
Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)
Which PAN-OS method of mapping users to IP addresses is the most reliable?
A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.
Which configuration in CIE supports this requirement with highest operational efficiency?
An administrator is troubleshooting a newly configured site-to-site VPN between a PAN-OS firewall and a third-party policy-based VPN gateway. The tunnel allows traffic between the first pair of configured subnets, but traffic to a newly added remote subnet is failing. The administrator has confirmed that routing and Security policies are correct.
What is the most likely cause of this issue?
By default, which type of traffic is configured by service route configuration to use the management interface?
When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?
An organization's Security policy states that for all outbound web traffic, the TCP session to the external web server must be established by the firewall, not the user's workstation. This requires configuring user web browsers to point to the firewall. Authentication is also required.
Which solution on a PA-Series firewall meets these specific needs?
Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?
Which two services are configured by applying an SSL/TLS service profile? (Choose two.)
An administrator configures a GlobalProtect gateway with split tunneling for network traffic based on an access route. Users report that public web browsing works, but they cannot resolve the names of internal servers. The administrator determines that all DNS queries are being sent to the public DNS servers configured on the users' endpoints.
Which GlobalProtect portal setting should be configured to resolve this issue?
When deploying a pair of Palo Alto Networks firewalls in an active/active high availability (HA) cluster what is the dedicated role of the HA3 link?
What must be configured before a firewall administrator can define policy rules based on users and groups?
An engineer is creating an automation workflow. The first step is to deploy a new VM-Series firewall into a VMware vSphere environment, including its virtual machine (VM) configuration and network interfaces. The second step is to connect to the firewall and configure a complex set of Security policies and objects. The team uses both Terraform and Ansible.
For which part of this workflow would Terraform typically be used?