Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

NGFW-Engineer Questions and Answers

Question # 6

A network security engineer at a 24/7 online retailer is upgrading an active/passive high availability (HA) cluster of PAN-OS firewalls. The primary goal is to perform the upgrade with no service interruption to online transactions. The engineer has already downloaded the new software to both devices.

Which sequence of actions will meet this requirement?

A.

From Panorama, create a scheduled software update job targeting both firewalls in the HA pair to run at the same time, then rely on the HA election process to manage the failover automatically.

B.

Upgrade the passive firewall first while it is still in the passive state. Once it reboots and is operational, suspend the active firewall to fail over to the newly upgraded device. Then, upgrade the remaining firewall.

C.

Force the active firewall into a suspended state to trigger a failover, then upgrade and reboot it. Suspend the currently active firewall to fail traffic back to the upgraded unit. Upgrade the remaining firewall.

D.

Disable HA synchronization on the active firewall, upgrade the passive firewall, and then re-enable synchronization. Once synchronized, repeat the process on the other firewall.

Full Access
Question # 7

An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML.

Which two actions meet the criteria? (Choose two.)

A.

Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.

B.

Create an authentication sequence that includes both the “RADIUS” Server Profile and “SAML Identity Provider” Server Profile to run the two services in tandem.

C.

Create and apply an authentication profile with the “SAML Identity Provider” Server Profile.

D.

Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile.

Full Access
Question # 8

Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?

A.

It acts as a logging service for NGFW performance metrics.

B.

It orchestrates real-time traffic inspection for network segments.

C.

It provides Infrastructure-as-Code (IaC) to automate NGFW deployment.

D.

It manages threat intelligence data synchronization with NGFWs.

Full Access
Question # 9

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

A.

NAT tables

B.

User Authentication

C.

GlobalProtect Gateways

D.

GlobalProtect Portal

Full Access
Question # 10

A network security engineer is reviewing the dynamic update settings for a fleet of firewalls in a financial institution that has a policy prioritizing operational stability above all else. The engineer notes that the current content update threshold is set to 24 hours.

Following the Palo Alto Networks recommended best practices for mission-critical deployments, which adjustment should be made to the threshold?

A.

Change to "download only" and schedule manual installation.

B.

Increase to 48 hours.

C.

Decrease to 12 hours.

D.

Reset to reconfirm 24 hours.

Full Access
Question # 11

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

A.

X-Forwarded-For (XFF) headers

B.

Server monitoring

C.

GlobalProtect

D.

Authentication Portal

Full Access
Question # 12

Which CLI command is used to configure the management interface as a DHCP client?

A.

set network dhcp interface management

B.

set network dhcp type management-interface

C.

set deviceconfig system type dhcp-client

D.

set deviceconfig management type dhcp-client

Full Access
Question # 13

An administrator is troubleshooting a newly configured site-to-site VPN between a PAN-OS firewall and a third-party policy-based VPN gateway. The tunnel allows traffic between the first pair of configured subnets, but traffic to a newly added remote subnet is failing. The administrator has confirmed that routing and Security policies are correct.

What is the most likely cause of this issue?

A.

A static route for the new subnet pointing to the tunnel interface is missing.

B.

The Security policy for the new subnet must be placed above the existing VPN policy.

C.

The new local and remote subnets are missing from the Proxy ID configuration.

D.

The tunnel's maximum transmission unit (MTU) size must be increased to accommodate the new traffic.

Full Access
Question # 14

An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provide both resilience across multiple Availability Zones and the ability to scale horizontally.

Which combination of AWS services and Palo Alto Networks components is required for this use case?

A.

AWS Lambda function that monitors the firewall's health and re-routes traffic using the AWS API

B.

PAN-OS active/active high availability (HA) pair with an AWS Transit Gateway

C.

Amazon EC2 Auto Scaling group with VM-Series firewalls and an Amazon Gateway Load Balancer

D.

Single VM-Series firewall with an Elastic IP address that can be re-associated upon failure

Full Access
Question # 15

What is the correct sequence of evaluation for Security policy rulebases?

A.

Panorama Pre-Rules -- > Local Firewall Rules -- > Panorama Post-Rules

B.

Panorama Post-Rules -- > Panorama Pre-Rules -- > Local Firewall Rules

C.

Panorama Shared Rules -- > Local Firewall Rules -- > Device Group Rules

D.

Local Firewall Rules -- > Panorama Pre-Rules -- > Panorama Post-Rules

Full Access
Question # 16

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

A.

Flood Protection

B.

Protocol Protection

C.

Packet-Based Attack Protection

D.

Reconnaissance Protection

Full Access
Question # 17

A network security engineer is designing a resilient architecture for inspecting traffic in Google Cloud Platform (GCP). The design must ensure that firewall service is maintained even if a single GCP zone becomes unavailable.

Which architecture should be used for the VM-Series firewalls in this use case?

A.

Ansible playbook that monitors the health of the primary firewall and launches a new one in a different zone when a failure is detected

B.

Single, large VM-Series firewall in one zone that is configured for live migration to another zone upon failure

C.

Instance group of VM-Series firewalls spread across multiple zones with traffic routed to them by a GCP Internal Load Balancer

D.

PAN-OS active/active high availability (HA) cluster configured with dedicated HA interfaces in a shared VPC

Full Access
Question # 18

A network administrator is configuring path monitoring for a primary static route to ensure immediate failback from a backup route. The administrator wants the primary route to become active again without any delay as soon as its path is restored.

Which preemptive hold time value should the administrator configure to achieve this immediate failback?

A.

-1

B.

0

C.

1

D.

2

Full Access
Question # 19

A network administrator needs to replace the default self-signed certificate on a firewall with one signed by the company's internal certificate authority (CA).

Which two firewall features would require this new certificate to be assigned via an SSL/TLS service profile? (Choose two.)

A.

User-ID agent redistribution

B.

RADIUS server authentication

C.

Authentication portal

D.

GlobalProtect gateway

Full Access
Question # 20

A network engineer observes that after a primary link recovers, the firewall immediately switches traffic back from the backup static route to the primary static route. The engineer checks the path monitoring configuration for the primary route.

Which value is configured for the preemptive hold time to cause this behavior?

A.

Lowest possible value greater than 0

B.

0

C.

Default value

D.

Feature disabled

Full Access
Question # 21

Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?

A.

CPU

B.

Sessions limit

C.

Memory

D.

Security profile limit

Full Access
Question # 22

A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.

Which configuration in CIE supports this requirement with highest operational efficiency?

A.

Configure a CIE tenant, connect Okta, and create segments.

B.

Configure the firewalls for each company to query their respective Okta IdPs directly, bypassing CIE for redistribution.

C.

Push all identity data to Panorama and use Panorama's group mapping include/exclude lists to control what each firewall learns.

D.

Create a master CIE tenant for the holding company and peer it with two subordinate tenants, one for each acquired business.

Full Access
Question # 23

An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.

What is the recommended method to achieve this goal?

A.

Deploy multiple, independent VM-Series firewalls in different Availability Zones and use an Azure Load Balancer to distribute traffic to them.

B.

Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails.

C.

Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target.

D.

Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection.

Full Access
Question # 24

After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish.

Which of the following actions will resolve this issue?

A.

Ensure that an active static or dynamic route exists for the VPN peer with next hop as the tunnel interface.

B.

Configure the Proxy IDs to match the Cisco ASA configuration.

C.

Check that IPSec is enabled in the management profile on the external interface.

D.

Validate the tunnel interface VLAN against the peer’s configuration.

Full Access
Question # 25

After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a 30-45 second delay before traffic started flowing through a Link Aggregation Control Protocol (LACP) aggregate interface on the newly active firewall.

What should have been configured to support LACP pre-negotiation to minimize LACP convergence delay?

A.

Enable LACP fast failover.

B.

Set LACP mode to passive.

C.

Enable in HA passive state.

D.

Set HA link monitoring to aggressive.

Full Access
Question # 26

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

A.

Isolated

B.

Transient

C.

External

D.

Internal

Full Access
Question # 27

When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?

A.

Service graph

B.

Ansible automation modules

C.

Panorama role-based access control (RBAC)

D.

CN-Series firewalls

Full Access
Question # 28

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

A.

They must be configured with auto-negotiate settings regardless of the port type.

B.

They must all be either copper or fiber optic, however they can be different.

C.

They must have the same link speed and transmission mode.

D.

They must be the same media type.

Full Access
Question # 29

When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?

A.

Syslog, Panorama, SD-WAN

B.

Panorama/Cloud logging, email, Syslog

C.

Email, Syslog, NetFlow

D.

HTTP, RADIUS, SNMP

Full Access
Question # 30

An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.

What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?

A.

Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.

B.

Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.

C.

Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.

D.

Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.

Full Access
Question # 31

An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.

Which two configurations are required to implement this authentication fallback strategy? (Choose two.)

A.

Configure a new RADIUS proxy on the firewall to handle authentication requests for both Kerberos and LDAP.

B.

Implement a User-ID Group Mapping policy to link users between the LDAP and Kerberos directories.

C.

Configure an authentication sequence that lists the Kerberos authentication profile first, followed by the LDAP authentication profile.

D.

Configure a new authentication profile that references the Kerberos server profile.

Full Access
Question # 32

A security administrator is hardening the ingress zone of an NGFW. The goal is to prevent attacks that rely on malformed IP address packets with incorrect header lengths or invalid TCP packets that have both the SYN and FIN flags set.

Within which section of a Zone Protection profile should these protections be configured?

A.

Protocol Protection

B.

Packet-Based Attack Protection

C.

Reconnaissance Protection

D.

Flood Protection

Full Access
Question # 33

A firewall administrator uses Panorama to manage a fleet of firewalls. After successfully onboarding the firewalls to Strata Logging Service and enabling cloud logging via a template, the security operations team reports that they can no longer see new logs on the on-premises Panorama log collectors. Logs are appearing correctly in Strata Logging Service.

Which setting was likely missed in the Panorama template configuration?

A.

The device certificates for the Panorama log collectors were not renewed after enabling the cloud logging connection.

B.

Duplicate logging (cloud and on-premises) is disabled under Device -- > Setup -- > Management.

C.

The Log Forwarding profile was modified to send logs only to the Strata Logging Service and no longer includes the on-premises Panorama log collectors.

D.

The Panorama log collectors were not defined as primary destinations within the collector group configuration for the managed firewalls.

Full Access
Question # 34

How does a Palo Alto Networks NGFW respond when the preemptive hold time is set to 0 minutes during configuration of route monitoring?

A.

It does not accept the configuration.

B.

It accepts the configuration but throws a warning message.

C.

It removes the static route because 0 is a NULL value.

D.

It reinstalls the route into the routing information base (RIB) as soon as the path comes up.

Full Access
Question # 35

An administrator must perform several actions on a fleet of firewalls from a central Panorama instance. To maintain efficiency, the administrator wants to only perform actions that do not require switching context into each firewall's individual web interface.

Which set of actions is available to the administrator directly from the Panorama UI?

A.

Creating a new VLAN -

Assigning an interface to the new VLAN

Configuring a new DHCP server on the firewall

B.

Modifying a pre-rule -

Editing a shared service object -

Creating a new certificate profile

C.

Accessing the CLI -

Restarting the device -

Installing the latest content and software versions

D.

Configuring a new IPSec tunnel -

Modifying the IKE gateway -

Changing the DNS server settings of the firewall

Full Access
Question # 36

Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?

A.

Import the new subordinate CA certificate into the trust stores of all client devices.

B.

Set the subordinate CA certificate as the default routing certificate for all network traffic.

C.

Configure the subordinate CA to issue certificates with indefinite validity periods.

D.

Disable all existing SSL decryption rules until the new certificate is fully propagated.

Full Access
Question # 37

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.

Which approach meets these requirements?

A.

Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement.

B.

Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed.

C.

Use Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster, ensuring local insertion into the service mesh or CNI. Manage all CN-Series firewalls centrally from Panorama, applying uniform Security policies across on-premises and cloud clusters.

D.

Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama.

Full Access