Practice Free NGFW Engineer Exam Online Questions
A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.
Which action meets the requirements in this scenario?
- A . Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).
- B . Deploy the Next-Generation Firewalls as normal and install the User-ID agent.
- C . Deploy the Advanced URL Filtering license and captive portal.
- D . Deploy the explicit proxy with Kerberos authentication scheme.
An administrator is configuring firewalls via a Panorama template to forward logs to a newly provisioned Strata Logging Service instance. The operational requirement is to maintain existing logging to on-premises Panorama log collectors for immediate, low-latency queries while also forwarding logs to Strata Logging Service for long-term archival. The administrator has already configured and enabled cloud logging connectivity.
Which additional step is necessary to meet the operational requirement?
- A . Enable duplicate logging (cloud and on-premises) under Device -> Setup -> Management in the appropriate templates.
- B . Enable log syncing and commit the template changes to both the on-premises and cloud collectors.
- C . In the collector group settings, add the Strata Logging Service as a secondary destination for the on-premises collector.
- D . Add the Panorama log collector and Strata Logging Service IP addresses to the cloud logging service routes to ensure dual-path cloud and on-premises reachability.
Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)
- A . Select IKE v2, enable the Advanced Options PQ PPK, then set a 64+ character string for the post-quantum pre shared key.
- B . Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate.
- C . Select IKE v2 Preferred, enable the Advanced Options PQ KEM, then add one or more “Rounds.”
- D . Select IKE v2, enable the Advanced Options PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one
or more “Rounds.”
When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?
- A . Flood Protection
- B . Protocol Protection
- C . Packet-Based Attack Protection
- D . Reconnaissance Protection
An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface.
Which two abilities are enabled by this specific configuration step? (Choose two.)
- A . Configuring tunnel monitoring to verify the liveliness of the connection.
- B . Firewall performing NAT traversal.
- C . Running a dynamic routing protocol like OSPF over the tunnel.
- D . Firewall encrypting and decrypting packet payloads.
An engineer is configuring a site-to-site IPSec VPN to a partner network. The IKE Gateway and IPSec tunnel configurations are complete, and the tunnel interface has been assigned to a security zone. However, the tunnel fails to establish, and no application traffic passes through it once it is up.
Which two Security policy configurations are required to allow tunnel establishment and data traffic flow in this scenario? (Choose two.)
- A . A security rule is needed to allow IKE and IPSec traffic between the zone where the physical interface resides and the zone of the partner gateway.
- B . A single bidirectional security rule must be configured to manage traffic flowing through the tunnel interface.
- C . Security rules must be configured to permit application traffic from the local zone to the tunnel zone, and from the tunnel zone to the local zone.
- D . An Application Override policy is needed to allow both the IKE negotiation and the encapsulated data traffic.
A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hierarchy as the primary certificate authority (CA). The enterprise also requires Online Certificate Status Protocol (OCSP) checks to ensure efficient revocation status updates and reduce the overhead on its NGFWs. The environment includes multiple Active Directory forests, Panorama management for several geographically dispersed firewalls, GlobalProtect portals and gateways needing distinct certificate profiles for users and devices, and strict Security policies demanding frequent revocation checks with minimal latency.
Which approach best addresses these requirements while maintaining consistent policy enforcement?
- A . Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CTurn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices.
- B . Distribute the root and intermediate CA certificates via Panorama as shared objects to ensure all firewalls have a consistent trust chain. Configure OCSP responder profiles on each firewall to offload revocation checks to an internal OCSP server while keeping CRL checks as a fallback. Maintain separate certificate profiles for user and device authentication and use an automated enrollment method C such as Group Policy or SCEP C to deploy certificates to endpoints.
- C . Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall’s local certificate store for authentication.
- D . Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency.
What are two valid zone types that can be selected from the zone configuration menu, per Palo Alto Networks best practices? (Choose two.)
- A . Layer 3
- B . Layer 2
- C . Management
- D . DMZ
Which forwarding methods can be used on the Objects tab when configuring the Log Forwarding profile?
- A . Panorama, syslog, email
- B . Syslog, HTTP, NetFlow
- C . Panorama, ADEM, syslog
- D . SNMP, HTTP, RADIUS
An organization’s Security policy states that for all outbound web traffic, the TCP session to the external web server must be established by the firewall, not the user’s workstation. This requires configuring user web browsers to point to the firewall. Authentication is also required.
Which solution on a PA-Series firewall meets these specific needs?
- A . Transparent proxy
- B . Explicit proxy
- C . GlobalProtect with User-ID
- D . Decryption policy with Authentication Portal