Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Paloalto Networks NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer Exam Practice Test

Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers

Question 1

A DevOps team is building a repeatable process for deploying new Palo Alto Networks VM-Series firewalls. The entire infrastructure, including virtual networks, subnets, and the firewalls themselves, must be defined in code to ensure consistency and enable version control.

Which tool is primarily used for this type of declarative Infrastructure as Code (IaC) provisioning?

Options:

A.

Terraform

B.

Azure DevOps

C.

Ansible

D.

Panorama

Question 2

Which two Palo Alto Networks firewall services are secured by attaching an SSL/TLS service profile to their configuration? (Choose two.)

Options:

A.

Authentication portal

B.

GlobalProtect portal

C.

LDAP server profiles

D.

Prisma Access service connections

Question 3

A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

Options:

A.

Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).

B.

Deploy the Next-Generation Firewalls as normal and install the User-ID agent.

C.

Deploy the Advanced URL Filtering license and captive portal.

D.

Deploy the explicit proxy with Kerberos authentication scheme.

Question 4

An organization is securing its cloud workloads using the Palo Alto Networks platform. The goal is to use a fully managed firewall service that integrates with Panorama for consistent policy management. The solution must be scalable and require minimal changes to the existing routing fabric.

• The AWS cloud uses a distributed architecture where each application virtual private cloud (VPC) routes internet traffic through its own internet gateway.

• The Azure cloud is built around a Virtual WAN (vWAN) hub for centralized connectivity.

Which two deployments meet these criteria? (Choose two.)

Options:

A.

Native cloud provider firewalls in both cloud environments and connected to Panorama for management

B.

Cloud NGFW in each spoke VNet with User-Defined Routes (UDRs) to redirect traffic bypassing the vWAN hub

C.

Cloud NGFW endpoints in each application VPC, updating the VPC route tables to direct traffic through the endpoints

D.

Cloud NGFW as a security partner in the vWAN hub with routing configured to send traffic through the NGFW

Question 5

A company is enabling SSL Forward Proxy to inspect encrypted traffic. A security engineer generates a new certificate on the firewall and flags it with the "Forward Trust" certificate property.

What is the critical next step that must be performed for decryption to function correctly without causing security warnings for end users?

Options:

A.

Set the forward trust certificate as the SSL/TLS Service profile for the management interface.

B.

Create a Security policy rule that allows traffic from the certificate of the firewall to all the zones.

C.

Import the private key of the forward trust certificate onto the domain controller.

D.

Install the public portion of the forward trust certificate into the trust store of all client machines.

Question 6

An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console, without using the Context Switch feature.

Which set of tasks can the administrator fully execute from the Panorama UI? (Choose one answer)

Options:

A.

Download and install a new content update. View current firewall session details. Initiate a device reboot.

B.

Create a new zone. Configure a new virtual router. View the local ACC on the firewall.

C.

Edit a post-rule. Create a new certificate profile. Configure the firewall's hostname.

D.

Modify the IP address of a Layer 3 interface. Configure a new local administrator account. Edit a pre-rule.

Question 7

Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?

Options:

A.

Import the new subordinate CA certificate into the trust stores of all client devices.

B.

Set the subordinate CA certificate as the default routing certificate for all network traffic.

C.

Configure the subordinate CA to issue certificates with indefinite validity periods.

D.

Disable all existing SSL decryption rules until the new certificate is fully propagated.

Question 8

An network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component.

Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status?

Options:

A.

Certificate revocation checking

B.

SSL/TLS service profile

C.

Decryption profile

D.

Forward trust certificate

Question 9

Which forwarding methods can be used on the Objects tab when configuring the Log Forwarding profile?

Options:

A.

Panorama, syslog, email

B.

Syslog, HTTP, NetFlow

C.

Panorama, ADEM, syslog

D.

SNMP, HTTP, RADIUS

Question 10

A network security engineer is designing a resilient architecture for inspecting traffic in Google Cloud Platform (GCP). The design must ensure that firewall service is maintained even if a single GCP zone becomes unavailable.

Which architecture should be used for the VM-Series firewalls in this use case?

Options:

A.

Ansible playbook that monitors the health of the primary firewall and launches a new one in a different zone when a failure is detected

B.

Single, large VM-Series firewall in one zone that is configured for live migration to another zone upon failure

C.

Instance group of VM-Series firewalls spread across multiple zones with traffic routed to them by a GCP Internal Load Balancer

D.

PAN-OS active/active high availability (HA) cluster configured with dedicated HA interfaces in a shared VPC

Question 11

A network security engineer is reviewing the dynamic update settings for a fleet of firewalls in a financial institution that has a policy prioritizing operational stability above all else. The engineer notes that the current content update threshold is set to 24 hours.

Following the Palo Alto Networks recommended best practices for mission-critical deployments, which adjustment should be made to the threshold?

Options:

A.

Change to "download only" and schedule manual installation.

B.

Increase to 48 hours.

C.

Decrease to 12 hours.

D.

Reset to reconfirm 24 hours.

Question 12

An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.

What is the effect of configuring this split DNS policy?

Options:

A.

It provides selective DNS resolution, with specified domains resolved through the tunnel, optimizing performance for other lookups.

B.

It blocks access to all domains that are not explicitly listed in the split tunnel configuration.

C.

It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic.

D.

It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection.

Question 13

An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chosen Ansible as its primary tool for this initiative.

How does Ansible enable an IaC model for managing this organization's firewalls?

Options:

A.

By providing real-time threat intelligence feeds directly to the firewalls' data plane

B.

By providing a graphical user interface that simplifies the creation of security policies through a drag-and-drop interface

C.

By automatically discovering and mapping all network devices to generate a baseline configuration

D.

By defining firewall configurations in playbooks that can be version-controlled and executed repeatedly

Question 14

After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a 30-45 second delay before traffic started flowing through a Link Aggregation Control Protocol (LACP) aggregate interface on the newly active firewall.

What should have been configured to support LACP pre-negotiation to minimize LACP convergence delay?

Options:

A.

Enable LACP fast failover.

B.

Set LACP mode to passive.

C.

Enable in HA passive state.

D.

Set HA link monitoring to aggressive.

Question 15

A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment.

The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit.

Which two Security policy requirements must be included in the implementation plan? (Choose two.)

Options:

A.

A policy must explicitly permit the IPSec container application between the external-facing zone and local zone.

B.

A policy must explicitly permit only the IKE application between the external-facing zone and local zone.

C.

A pair of policies is required to control the flow of data traffic into and out of the security zone assigned to the tunnel interface.

D.

The default interzone-default security policy is sufficient to allow the tunnel negotiation traffic between the firewall and the remote peer.

Question 16

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?

Options:

A.

It provides a web interface for managing NGFW hardware clusters.

B.

It enables centralized log collection and correlation for NGFWs.

C.

It facilitates dynamic updates to NGFW threat databases.

D.

It automates NGFW policy updates and configurations through playbooks.

Question 17

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.

Which approach meets these requirements?

Options:

A.

Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement.

B.

Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed.

C.

Use Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster, ensuring local insertion into the service mesh or CNI. Manage all CN-Series firewalls centrally from Panorama, applying uniform Security policies across on-premises and cloud clusters.

D.

Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama.

Question 18

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

Options:

A.

They must be configured with auto-negotiate settings regardless of the port type.

B.

They must all be either copper or fiber optic, however they can be different.

C.

They must have the same link speed and transmission mode.

D.

They must be the same media type.

Question 19

When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?

Options:

A.

Deploying Ansible scripts for zone-specific scaling

B.

Implementing Terraform templates for redundancy within one availability zone

C.

Using load balancer and health probes

D.

Configuring active/active HA

Question 20

When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?

Options:

A.

Syslog, Panorama, SD-WAN

B.

Panorama/Cloud logging, email, Syslog

C.

Email, Syslog, NetFlow

D.

HTTP, RADIUS, SNMP

Question 21

An engineer is required to configure a site-to-site VPN that will automatically fail over to a backup link if the primary tunnel goes down. The engineer also needs to exchange routes dynamically between the sites.

Which two features necessitate assigning an IP address to the tunnel interface? (Choose two.)

Options:

A.

Tunnel monitoring

B.

Proxy ID configuration

C.

IKEv2 protocol support

D.

Dynamic routing

Question 22

By default, which type of traffic is configured by service route configuration to use the management interface?

Options:

A.

Security zone

B.

IPSec tunnel

C.

Virtual system (VSYS)

D.

Autonomous Digital Experience Manager (ADEM)

Question 23

Which initial action is required to configure logical routers?

Options:

A.

Changing the virtual router type from "default" to "advanced"

B.

Activating an advanced routing subscription

C.

Committing a new advanced routing software module

D.

Checking "advanced routing" in general settings

Question 24

An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console without using the Context Switch feature.

Which set of tasks can the administrator fully execute from the Panorama UI?

Options:

A.

Edit a post-rule.

Create a new certificate profile.

Configure the firewall's hostname.

B.

Download and install a new content update.

View current firewall session details.

Initiate a device reboot.

C.

Create a new zone.

Configure a new virtual router.

View the local ACC on the firewall.

D.

Modify the IP address of a Layer 3 interface.

Configure a new local administrator account.

Edit a pre-rule.

Question 25

An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.

What is the most likely cause of these widespread certificate errors?

Options:

A.

The decryption policy is configured with a "no-decrypt" action, which causes browsers to reject the connection.

B.

The external websites are using TLS 1.3, which cannot be decrypted by the firewall without a specific license.

C.

The firewall's forward untrust certificate has expired, preventing it from identifying untrusted sites.

D.

The firewall's self-signed CA certificate is not deployed to the trusted certificate store on client endpoints.

Question 26

A Managed Security Service Provider (MSSP) is creating a new VSYS for a customer.

To prevent this customer’s traffic from overwhelming the firewall’s state table, which resource limit should the MSSP configure for the new VSYS?

Options:

A.

Max security profiles

B.

Max bandwidth

C.

Max sessions

D.

Max Log Forwarding profiles

Question 27

A security administrator is hardening the ingress zone of an NGFW. The goal is to prevent attacks that rely on malformed IP address packets with incorrect header lengths or invalid TCP packets that have both the SYN and FIN flags set.

Within which section of a Zone Protection profile should these protections be configured?

Options:

A.

Protocol Protection

B.

Packet-Based Attack Protection

C.

Reconnaissance Protection

D.

Flood Protection

Question 28

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

Options:

A.

NAT tables

B.

User Authentication

C.

GlobalProtect Gateways

D.

GlobalProtect Portal

Question 29

An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.

What is the recommended method to achieve this goal?

Options:

A.

Deploy multiple, independent VM-Series firewalls in different Availability Zones and use an Azure Load Balancer to distribute traffic to them.

B.

Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails.

C.

Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target.

D.

Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection.

Question 30

Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?

Options:

A.

DDNS

B.

Link Duplex

C.

NetFlow

D.

LLDP

Question 31

An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device certificates have been installed, and Panorama and the firewalls have been successfully onboarded to Strata Logging Service.

Which configuration task must be performed to start sending the logs to Strata Logging Service and continue forwarding them to the Panorama log collectors as well?

Options:

A.

Modify all active Log Forwarding profiles to select the “Cloud Logging” option in each profile match list in the appropriate device groups.

B.

Enable the “Panorama/Cloud Logging” option in the Logging and Reporting Settings section under Device -- > Setup -- > Management in the appropriate templates.

C.

Select the “Enable Duplicate Logging” option in the Cloud Logging section under Device -- > Setup -- > Management in the appropriate templates.

D.

Select the “Enable Cloud Logging” option in the Cloud Logging section under Device -- > Setup -- > Management in the appropriate templates.

Question 32

When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?

Options:

A.

Service graph

B.

Ansible automation modules

C.

Panorama role-based access control (RBAC)

D.

CN-Series firewalls

Question 33

Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)

Options:

A.

It is associated with an interface within a VSYS of a firewall.

B.

It is a security object associated with a specific virtual router of a VSYS.

C.

It is not associated with an interface; it is associated with a VSYS itself.

D.

It is a security object associated with a specific VSYS.

Question 34

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

Options:

A.

X-Forwarded-For (XFF) headers

B.

Server monitoring

C.

GlobalProtect

D.

Authentication Portal

Question 35

An organization needs a GlobalProtect solution that meets two key requirements:

• IT administrators must be able to run scripts and push updates to endpoints before a user logs in.

• Users must authenticate with their cloud identity provider, which is protected by multi-factor authentication (MFA).

Which GlobalProtect authentication configuration should be used to meet both requirements?

Options:

A.

Cookie-based authentication for both pre-logon and user logon.

B.

SAML authentication for pre-logon and certificate-based authentication for user logon.

C.

Single authentication profile using Kerberos to handle both pre-logon and user logon.

D.

Certificate-based authentication for pre-logon and SAML authentication for user logon.

Question 36

A network engineer observes a pattern of anomalous traffic hitting an external-facing zone, including a high volume of TCP packets that are not part of a new session handshake (non-SYN), and a large number of ICMP fragments. The engineer decides to apply a Zone Protection profile to mitigate these potential threats.

Which protection type within the profile must be configured?

Options:

A.

Protocol Protection

B.

Flood Protection

C.

Reconnaissance Protection

D.

Packet-Based Attack Protection

Question 37

What is the primary use case for the CN-Series NGFW?

Options:

A.

Protecting mobile users and remote branch offices (east-west)

B.

Providing security for physical data center perimeters (north-south)

C.

Securing traffic in and out of a public cloud VPC or VNet (north-south)

D.

Enforcing Security policies between pods in a Kubernetes environment (east-west)