Practice Free NGFW Engineer Exam Online Questions
An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.
Which approach ensures continuous, secure connectivity and consistent policy enforcement?
- A . Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.
- B . Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.
- C . Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.
- D . Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.
To maintain security efficacy of its public cloud resources by using native tools, a company purchases Cloud NGFW credits to replicate the Panorama, PA-Series, and VM-Series devices used in physical data centers.
Resources exist on AWS and Azure:
The AWS deployment is architected with AWS Transit Gateway, to which all resources connect
The Azure deployment is architected with each application independently routing traffic
The engineer deploying Cloud NGFW in these two cloud environments must account for the following:
Minimize changes to the two cloud environments
Scale to the demands of the applications while using the least amount of compute resources
Allow the company to unify the Security policies across all protected areas
Which two implementations will meet these requirements? (Choose two.)
- A . Deploy a VM-Series firewall in AWS in each VPC, create an IPSec tunnel between AWS and Azure, and manage the policy with Panorama.
- B . Deploy Cloud NGFW for Azure in vNET/s, update the vNET/s routing to path traffic through the deployed NGFWs, and manage the policy with Panorama.
- C . Deploy Cloud NGFW for Azure in vWAN, create a vWAN to route all appropriate traffic to the Cloud NGFW attached to the vWAN, and manage the policy with local rules.
- D . Deploy Cloud NGFW for AWS in a centralized Security VPC, update the Transit Gateway to route all appropriate traffic through the Security VPC, and manage the policy with Panorama.
In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?
- A . License
- B . Plugin
- C . Content update
- D . General setting
An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?
- A . Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.
- B . Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.
- C . Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.
- D . Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.
How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?
- A . The route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected.
- B . It will attempt to load balance the traffic across all routes.
- C . It compares the administrative distance and chooses the one with the highest value.
- D . It compares the administrative distance and chooses the one with the lowest value.
A network security engineer needs to permit traffic between two distinct VSYS that reside on one Palo Alto Networks firewall. This traffic will not egress the firewall to an external device.
Which zone type must be configured to act as the logical source and destination for this traffic flow?
- A . External
- B . TAP
- C . Layer 3
- D . Layer 2
A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required.
What are two fundamental properties of the external zones needed for this configuration? (Choose two.)
- A . They must be linked to the same virtual router as the ingress interface.
- B . They represent their parent VSYS without being tied to a physical or logical interface.
- C . They are a security construct belonging to a single VSYS.
- D . They are automatically created when inter-VSYS routing is enabled.
An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console without using the Context Switch feature.
Which set of tasks can the administrator fully execute from the Panorama UI?
- A . Edit a post-rule.
Create a new certificate profile.
Configure the firewall’s hostname. - B . Download and install a new content update.
View current firewall session details.
Initiate a device reboot. - C . Create a new zone.
Configure a new virtual router.
View the local ACC on the firewall. - D . Modify the IP address of a Layer 3 interface.
Configure a new local administrator account.
Edit a pre-rule.
After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish.
Which of the following actions will resolve this issue?
- A . Ensure that an active static or dynamic route exists for the VPN peer with next hop as the tunnel interface.
- B . Configure the Proxy IDs to match the Cisco ASA configuration.
- C . Check that IPSec is enabled in the management profile on the external interface.
- D . Validate the tunnel interface VLAN against the peer’s configuration.
Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?
- A . Import the new subordinate CA certificate into the trust stores of all client devices.
- B . Set the subordinate CA certificate as the default routing certificate for all network traffic.
- C . Configure the subordinate CA to issue certificates with indefinite validity periods.
- D . Disable all existing SSL decryption rules until the new certificate is fully propagated.