Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers

Questions 4

An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.

What is the effect of configuring this split DNS policy?

Options:

A.

It provides selective DNS resolution, with specified domains resolved through the tunnel, optimizing performance for other lookups.

B.

It blocks access to all domains that are not explicitly listed in the split tunnel configuration.

C.

It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic.

D.

It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection.

Buy Now
Questions 5

An administrator is configuring firewalls via a Panorama template to forward logs to a newly provisioned Strata Logging Service instance. The operational requirement is to maintain existing logging to on-premises Panorama log collectors for immediate, low-latency queries while also forwarding logs to Strata Logging Service for long-term archival. The administrator has already configured and enabled cloud logging connectivity.

Which additional step is necessary to meet the operational requirement?

Options:

A.

Enable duplicate logging (cloud and on-premises) under Device - > Setup - > Management in the appropriate templates.

B.

Enable log syncing and commit the template changes to both the on-premises and cloud collectors.

C.

In the collector group settings, add the Strata Logging Service as a secondary destination for the on-premises collector.

D.

Add the Panorama log collector and Strata Logging Service IP addresses to the cloud logging service routes to ensure dual-path cloud and on-premises reachability.

Buy Now
Questions 6

An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML.

Which two actions meet the criteria? (Choose two.)

Options:

A.

Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.

B.

Create an authentication sequence that includes both the “RADIUS” Server Profile and “SAML Identity Provider” Server Profile to run the two services in tandem.

C.

Create and apply an authentication profile with the “SAML Identity Provider” Server Profile.

D.

Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile.

Buy Now
Questions 7

A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required.

What are two fundamental properties of the external zones needed for this configuration? (Choose two.)

Options:

A.

They must be linked to the same virtual router as the ingress interface.

B.

They represent their parent VSYS without being tied to a physical or logical interface.

C.

They are a security construct belonging to a single VSYS.

D.

They are automatically created when inter-VSYS routing is enabled.

Buy Now
Questions 8

An engineer at a managed services provider is updating an application that allows its customers to request firewall changes to also manage SD-WAN. The application will be able to make any approved changes directly to devices via API.

What is a requirement for the application to create SD-WAN interfaces?

Options:

A.

REST API’s “sdwanInterfaceprofiles” parameter on a Panorama device

B.

REST API’s “sdwanInterfaces” parameter on a firewall device

C.

XML API’s “sdwanprofiles/interfaces” parameter on a Panorama device

D.

XML API’s “InterfaceProfiles/sdwan” parameter on a firewall device

Buy Now
Questions 9

Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)

Options:

A.

Select IKE v2, enable the Advanced Options PQ PPK, then set a 64+ character string for the post-quantum pre shared key.

B.

Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate.

C.

Select IKE v2 Preferred, enable the Advanced Options PQ KEM, then add one or more “Rounds.”

D.

Select IKE v2, enable the Advanced Options PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one

or more “Rounds.”

Buy Now
Questions 10

When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?

Options:

A.

Service graph

B.

Ansible automation modules

C.

Panorama role-based access control (RBAC)

D.

CN-Series firewalls

Buy Now
Questions 11

An engineer is troubleshooting a failed inter-VSYS communication path between a DMZ-VSYS and an Internal-VSYS. The configuration includes separate virtual routers with next-vr static routes and appropriate Security policies within each VSYS allowing traffic to and from their external zones.

Given that all routing and policy configurations within each individual VSYS are correct, what is the probable cause of the failure?

Options:

A.

The intrazone-default policy is blocking the traffic because the two external zones are logically connected.

B.

A tunnel interface is required to connect the two virtual routers instead of using the next-vr option.

C.

The administrator did not configure Visible Virtual System.

D.

The external zones were not assigned the External zone type, preventing them from connecting.

Buy Now
Questions 12

What is a valid configurable limit for setting resource quotas when defining a new VSYS on a Palo Alto Networks firewall?

Options:

A.

Percentage of total CPU utilization

B.

Maximum number of SSL decryption rules

C.

Maximum number of virtual routers

D.

Disk space allocation for logs

Buy Now
Questions 13

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.

Which approach meets these requirements?

Options:

A.

Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement.

B.

Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed.

C.

Use Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster, ensuring local insertion into the service mesh or CNI. Manage all CN-Series firewalls centrally from Panorama, applying uniform Security policies across on-premises and cloud clusters.

D.

Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama.

Buy Now
Questions 14

An organization uses Cloud Identity Engine (CIE) to gather user information from its on-premises Active Directory (AD) for employees and a separate Azure AD for external partners. Due to compliance regulations, the firewalls protecting the internal network must not have any identity information about external partners. Conversely, firewalls in the partner-facing DMZ should only be aware of partner identities.

Which CIE feature is designed to solve this data partitioning requirement?

Options:

A.

Panorama templates, which can be used to push different User-ID agent configurations to each firewall group

B.

Segments, which can be configured to create distinct, filter-based views of users and groups that are then redistributed only to the appropriate firewalls

C.

Multiple tenants, where a separate CIE tenant is required for each user directory to maintain isolation

D.

Directory sync filtering, which is used at the source to prevent specific OUs from being imported into CIE

Buy Now
Questions 15

Which initial action is required to configure logical routers?

Options:

A.

Changing the virtual router type from "default" to "advanced"

B.

Activating an advanced routing subscription

C.

Committing a new advanced routing software module

D.

Checking "advanced routing" in general settings

Buy Now
Questions 16

An engineer is configuring a site-to-site IPSec VPN to a partner network. The IKE Gateway and IPSec tunnel configurations are complete, and the tunnel interface has been assigned to a security zone. However, the tunnel fails to establish, and no application traffic passes through it once it is up.

Which two Security policy configurations are required to allow tunnel establishment and data traffic flow in this scenario? (Choose two.)

Options:

A.

A security rule is needed to allow IKE and IPSec traffic between the zone where the physical interface resides and the zone of the partner gateway.

B.

A single bidirectional security rule must be configured to manage traffic flowing through the tunnel interface.

C.

Security rules must be configured to permit application traffic from the local zone to the tunnel zone, and from the tunnel zone to the local zone.

D.

An Application Override policy is needed to allow both the IKE negotiation and the encapsulated data traffic.

Buy Now
Questions 17

Which CLI command is used to configure the management interface as a DHCP client?

Options:

A.

set network dhcp interface management

B.

set network dhcp type management-interface

C.

set deviceconfig system type dhcp-client

D.

set deviceconfig management type dhcp-client

Buy Now
Questions 18

A network security engineer needs to permit traffic between two distinct VSYS that reside on one Palo Alto Networks firewall. This traffic will not egress the firewall to an external device.

Which zone type must be configured to act as the logical source and destination for this traffic flow?

Options:

A.

External

B.

TAP

C.

Layer 3

D.

Layer 2

Buy Now
Questions 19

Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE) interface on a Palo Alto Networks high availability (HA) active/passive pair?

Options:

A.

Set Transmission Rate to “fast.”

B.

Set passive link state to “Auto.”

C.

Set “Enable in HA Passive State.”

D.

Set LACP mode to “Active.”

Buy Now
Questions 20

An administrator is configuring a GlobalProtect pre-logon VPN. The administrator has already imported the necessary internal certificate authority (CA) certificates for issuing machine certificates onto the firewall.

Which configuration is required on the GlobalProtect Gateway to enable pre-logon using these machine certificates?

Options:

A.

Create a device-based Security policy that allows traffic from the pre-logon user to an internal management zone.

B.

Create an authentication profile that points to the machine certificate's CA and assign it by using the client authentication settings of the GlobalProtect Portal.

C.

Create a certificate profile that trusts the machine certificate's CA and assign it within the Gateway Agent -- > Client Authentication settings.

D.

Configure the Gateway Agent -- > Tunnel Settings to use IPSec with machine certificate authentication for the pre- logon tunnel.

Buy Now
Questions 21

An organization must secure its AWS and Azure environments using a managed Palo Alto Networks solution, and all policies must be synchronized from an existing Panorama deployment. The organization wants to insert security with the least possible impact on its application teams and use existing hub-and-spoke network designs.

• The AWS environment uses a centralized AWS Transit Gateway (TGW) architecture.

• The Azure environment uses a Virtual WAN (vWAN) hub.

Which two actions are the most appropriate in this use case? (Choose two.)

Options:

A.

Deploy Cloud NGFW endpoints in every application virtual private cloud (VPC), ignoring the TGW.

B.

Deploy Cloud NGFW into the vWAN hub as a trusted security partner, and update routing policies to secure traffic.

C.

Deploy individual VM-Series firewalls in each spoke virtual network (VNet) and manage them as a device group in Panorama.

D.

Deploy Cloud NGFW endpoints into a security virtual private cloud (VPC), and adjust the TGW route tables to inspect traffic flowing though the hub.

Buy Now
Questions 22

A company is enabling SSL Forward Proxy to inspect encrypted traffic. A security engineer generates a new certificate on the firewall and flags it with the "Forward Trust" certificate property.

What is the critical next step that must be performed for decryption to function correctly without causing security warnings for end users?

Options:

A.

Set the forward trust certificate as the SSL/TLS Service profile for the management interface.

B.

Create a Security policy rule that allows traffic from the certificate of the firewall to all the zones.

C.

Import the private key of the forward trust certificate onto the domain controller.

D.

Install the public portion of the forward trust certificate into the trust store of all client machines.

Buy Now
Questions 23

A network security engineer is designing a resilient architecture for inspecting traffic in Google Cloud Platform (GCP). The design must ensure that firewall service is maintained even if a single GCP zone becomes unavailable.

Which architecture should be used for the VM-Series firewalls in this use case?

Options:

A.

Ansible playbook that monitors the health of the primary firewall and launches a new one in a different zone when a failure is detected

B.

Single, large VM-Series firewall in one zone that is configured for live migration to another zone upon failure

C.

Instance group of VM-Series firewalls spread across multiple zones with traffic routed to them by a GCP Internal Load Balancer

D.

PAN-OS active/active high availability (HA) cluster configured with dedicated HA interfaces in a shared VPC

Buy Now
Questions 24

An automation engineer is developing a Python script to standardize SD-WAN deployments across multiple customer tenants in Panorama. A key requirement is to programmatically create path quality profiles to monitor link performance based on latency, jitter, and packet loss.

Which API call is required for this task?

Options:

A.

XML API command with an xpath of config/devices/entry/vsys/entry/path-quality-profiles on Panorama

B.

XML API command with an xpath of sdwan/path-quality-profiles on a managed firewall

C.

POST request to the SDWanPathQualityProfiles object endpoint via the REST API on Panorama

D.

POST request to the pathMonitoringProfiles object endpoint via the REST API on a managed firewall

Buy Now
Questions 25

An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.

Which two configurations are required to implement this authentication fallback strategy? (Choose two.)

Options:

A.

Configure a new RADIUS proxy on the firewall to handle authentication requests for both Kerberos and LDAP.

B.

Implement a User-ID Group Mapping policy to link users between the LDAP and Kerberos directories.

C.

Configure an authentication sequence that lists the Kerberos authentication profile first, followed by the LDAP authentication profile.

D.

Configure a new authentication profile that references the Kerberos server profile.

Buy Now
Questions 26

When deploying a pair of Palo Alto Networks firewalls in an active/active high availability (HA) cluster what is the dedicated role of the HA3 link?

Options:

A.

Control plane synchronization for heartbeats and state information

B.

Packet forwarding for session setup and asymmetric traffic

C.

Management plane synchronization for configurations and policies

D.

Data plane synchronization for session tables and forwarding tables

Buy Now
Questions 27

An administrator must perform several actions on a fleet of firewalls from a central Panorama instance. To maintain efficiency, the administrator wants to only perform actions that do not require switching context into each firewall's individual web interface.

Which set of actions is available to the administrator directly from the Panorama UI?

Options:

A.

Creating a new VLAN -

Assigning an interface to the new VLAN

Configuring a new DHCP server on the firewall

B.

Modifying a pre-rule -

Editing a shared service object -

Creating a new certificate profile

C.

Accessing the CLI -

Restarting the device -

Installing the latest content and software versions

D.

Configuring a new IPSec tunnel -

Modifying the IKE gateway -

Changing the DNS server settings of the firewall

Buy Now
Questions 28

A Managed Security Service Provider (MSSP) is creating a new VSYS for a customer.

To prevent this customer’s traffic from overwhelming the firewall’s state table, which resource limit should the MSSP configure for the new VSYS?

Options:

A.

Max security profiles

B.

Max bandwidth

C.

Max sessions

D.

Max Log Forwarding profiles

Buy Now
Questions 29

A large organization has separate production and development environments, each with its own set of firewalls managed by Panorama. The organization uses Cloud Identity Engine (CIE) to consolidate user identities from Active Directory (AD) and Okta.

A security mandate requires that development firewalls must only learn about "DEV" and "QA" user groups, while production firewalls should only see "Prod" user groups.

How can an administrator enforce this separation using CIE with minimal complexity?

Options:

A.

Create two segments, one with only "DEV" and "QA" groups, and one with "Prod" groups Redistribute each segment to the corresponding group of firewalls.

B.

Redistribute all user and group information to all firewalls and use Panorama Device Group hierarchy to apply different Group Mapping profiles.

C.

Create filters using CLI commands to filter "Prod," "DEV," and "QA" groups.

D.

Configure two separate CIE instances, one for production and the other for development. Sync each instance to both AD and Okta.

Buy Now
Questions 30

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

Options:

A.

They must be configured with auto-negotiate settings regardless of the port type.

B.

They must all be either copper or fiber optic, however they can be different.

C.

They must have the same link speed and transmission mode.

D.

They must be the same media type.

Buy Now
Questions 31

An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.

What is the most likely cause of these widespread certificate errors?

Options:

A.

The decryption policy is configured with a "no-decrypt" action, which causes browsers to reject the connection.

B.

The external websites are using TLS 1.3, which cannot be decrypted by the firewall without a specific license.

C.

The firewall's forward untrust certificate has expired, preventing it from identifying untrusted sites.

D.

The firewall's self-signed CA certificate is not deployed to the trusted certificate store on client endpoints.

Buy Now
Questions 32

Which interface types should be used to configure link monitoring for a high availability (HA) deployment on a Palo Alto Networks NGFW?

Options:

A.

HA, Virtual Wire, and Layer 2

B.

Tap, Virtual Wire, and Layer 3

C.

Virtual Wire, Layer 2, and Layer 3

D.

HA, Layer 2, and Layer 3

Buy Now
Questions 33

An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chosen Ansible as its primary tool for this initiative.

How does Ansible enable an IaC model for managing this organization's firewalls?

Options:

A.

By providing real-time threat intelligence feeds directly to the firewalls' data plane

B.

By providing a graphical user interface that simplifies the creation of security policies through a drag-and-drop interface

C.

By automatically discovering and mapping all network devices to generate a baseline configuration

D.

By defining firewall configurations in playbooks that can be version-controlled and executed repeatedly

Buy Now
Questions 34

A network administrator is configuring an Aggregate Ethernet (AE) interface on an active/passive high availability (HA) pair. To reduce network downtime during a failover, the administrator wants the passive firewall's AE interface to be fully negotiated with the switch before it becomes active.

Which Link Aggregation Control Protocol (LACP) setting achieves this administrator's goal?

Options:

A.

LACP Mode active

B.

Enable in HA passive state

C.

System Priority: 1

D.

Transmission Rate: fast

Buy Now
Questions 35

During an upgrade to the routing infrastructure in a customer environment, the network administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall.

Which firewall models support this configuration?

Options:

A.

PA-5280, PA-7080, PA-3250, VM-Series

B.

PA-455, VM-Series, PA-1410, PA-5450

C.

PA-3260, PA-5410, PA-850, PA-460

D.

PA-7050, PA-1420, VM-Series, CN-Series

Buy Now
Questions 36

According to dynamic updates best practices, what is the recommended threshold value for content updates in a mission- critical network?

Options:

A.

8 hours

B.

16 hours

C.

32 hours

D.

48 hours

Buy Now
Questions 37

Which two Palo Alto Networks firewall services are secured by attaching an SSL/TLS service profile to their configuration? (Choose two.)

Options:

A.

Authentication portal

B.

GlobalProtect portal

C.

LDAP server profiles

D.

Prisma Access service connections

Buy Now
Exam Code: NGFW-Engineer
Exam Name: Palo Alto Networks Next-Generation Firewall Engineer
Last Update: Jun 29, 2026
Questions: 50
NGFW-Engineer pdf

NGFW-Engineer PDF

$25.5  $84.99
NGFW-Engineer Engine

NGFW-Engineer Testing Engine

$30  $99.99
NGFW-Engineer PDF + Engine

NGFW-Engineer PDF + Testing Engine

$40.5  $134.99