Paloalto Networks NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer Exam Practice Test
Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers
A DevOps team is building a repeatable process for deploying new Palo Alto Networks VM-Series firewalls. The entire infrastructure, including virtual networks, subnets, and the firewalls themselves, must be defined in code to ensure consistency and enable version control.
Which tool is primarily used for this type of declarative Infrastructure as Code (IaC) provisioning?
Which two Palo Alto Networks firewall services are secured by attaching an SSL/TLS service profile to their configuration? (Choose two.)
A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.
Which action meets the requirements in this scenario?
An organization is securing its cloud workloads using the Palo Alto Networks platform. The goal is to use a fully managed firewall service that integrates with Panorama for consistent policy management. The solution must be scalable and require minimal changes to the existing routing fabric.
• The AWS cloud uses a distributed architecture where each application virtual private cloud (VPC) routes internet traffic through its own internet gateway.
• The Azure cloud is built around a Virtual WAN (vWAN) hub for centralized connectivity.
Which two deployments meet these criteria? (Choose two.)
A company is enabling SSL Forward Proxy to inspect encrypted traffic. A security engineer generates a new certificate on the firewall and flags it with the "Forward Trust" certificate property.
What is the critical next step that must be performed for decryption to function correctly without causing security warnings for end users?
An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console, without using the Context Switch feature.
Which set of tasks can the administrator fully execute from the Panorama UI? (Choose one answer)
Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?
An network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component.
Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status?
Which forwarding methods can be used on the Objects tab when configuring the Log Forwarding profile?
A network security engineer is designing a resilient architecture for inspecting traffic in Google Cloud Platform (GCP). The design must ensure that firewall service is maintained even if a single GCP zone becomes unavailable.
Which architecture should be used for the VM-Series firewalls in this use case?
A network security engineer is reviewing the dynamic update settings for a fleet of firewalls in a financial institution that has a policy prioritizing operational stability above all else. The engineer notes that the current content update threshold is set to 24 hours.
Following the Palo Alto Networks recommended best practices for mission-critical deployments, which adjustment should be made to the threshold?
An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.
What is the effect of configuring this split DNS policy?
An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chosen Ansible as its primary tool for this initiative.
How does Ansible enable an IaC model for managing this organization's firewalls?
After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a 30-45 second delay before traffic started flowing through a Link Aggregation Control Protocol (LACP) aggregate interface on the newly active firewall.
What should have been configured to support LACP pre-negotiation to minimize LACP convergence delay?
A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment.
The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit.
Which two Security policy requirements must be included in the implementation plan? (Choose two.)
In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?
An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.
Which approach meets these requirements?
What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?
When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?
When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?
An engineer is required to configure a site-to-site VPN that will automatically fail over to a backup link if the primary tunnel goes down. The engineer also needs to exchange routes dynamically between the sites.
Which two features necessitate assigning an IP address to the tunnel interface? (Choose two.)
By default, which type of traffic is configured by service route configuration to use the management interface?
Which initial action is required to configure logical routers?
An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console without using the Context Switch feature.
Which set of tasks can the administrator fully execute from the Panorama UI?
An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.
What is the most likely cause of these widespread certificate errors?
A Managed Security Service Provider (MSSP) is creating a new VSYS for a customer.
To prevent this customer’s traffic from overwhelming the firewall’s state table, which resource limit should the MSSP configure for the new VSYS?
A security administrator is hardening the ingress zone of an NGFW. The goal is to prevent attacks that rely on malformed IP address packets with incorrect header lengths or invalid TCP packets that have both the SYN and FIN flags set.
Within which section of a Zone Protection profile should these protections be configured?
Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)
An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.
What is the recommended method to achieve this goal?
Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?
An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device certificates have been installed, and Panorama and the firewalls have been successfully onboarded to Strata Logging Service.
Which configuration task must be performed to start sending the logs to Strata Logging Service and continue forwarding them to the Panorama log collectors as well?
When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?
Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)
When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?
An organization needs a GlobalProtect solution that meets two key requirements:
• IT administrators must be able to run scripts and push updates to endpoints before a user logs in.
• Users must authenticate with their cloud identity provider, which is protected by multi-factor authentication (MFA).
Which GlobalProtect authentication configuration should be used to meet both requirements?
A network engineer observes a pattern of anomalous traffic hitting an external-facing zone, including a high volume of TCP packets that are not part of a new session handshake (non-SYN), and a large number of ICMP fragments. The engineer decides to apply a Zone Protection profile to mitigate these potential threats.
Which protection type within the profile must be configured?
What is the primary use case for the CN-Series NGFW?