Practice Free NGFW Engineer Exam Online Questions
An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.
Which two configurations are required to implement this authentication fallback strategy? (Choose two.)
- A . Configure a new RADIUS proxy on the firewall to handle authentication requests for both Kerberos and LDAP.
- B . Implement a User-ID Group Mapping policy to link users between the LDAP and Kerberos directories.
- C . Configure an authentication sequence that lists the Kerberos authentication profile first, followed by the LDAP authentication profile.
- D . Configure a new authentication profile that references the Kerberos server profile.
An administrator is configuring a GlobalProtect pre-logon VPN. The administrator has already imported the necessary internal certificate authority (CA) certificates for issuing machine certificates onto the firewall.
Which configuration is required on the GlobalProtect Gateway to enable pre-logon using these machine certificates?
- A . Create a device-based Security policy that allows traffic from the pre-logon user to an internal management zone.
- B . Create an authentication profile that points to the machine certificate’s CA and assign it by using the client authentication settings of the GlobalProtect Portal.
- C . Create a certificate profile that trusts the machine certificate’s CA and assign it within the Gateway Agent –> Client Authentication settings.
- D . Configure the Gateway Agent –> Tunnel Settings to use IPSec with machine certificate authentication for the pre- logon tunnel.
An automation engineer is developing a Python script to standardize SD-WAN deployments across multiple customer tenants in Panorama. A key requirement is to programmatically create path quality profiles to monitor link performance based on latency, jitter, and packet loss.
Which API call is required for this task?
- A . XML API command with an xpath of config/devices/entry/vsys/entry/path-quality-profiles on Panorama
- B . XML API command with an xpath of sdwan/path-quality-profiles on a managed firewall
- C . POST request to the SDWanPathQualityProfiles object endpoint via the REST API on Panorama
- D . POST request to the pathMonitoringProfiles object endpoint via the REST API on a managed firewall
An engineer is troubleshooting a failed inter-VSYS communication path between a DMZ-VSYS and an Internal-VSYS. The configuration includes separate virtual routers with next-vr static routes and appropriate Security policies within each VSYS allowing traffic to and from their external zones.
Given that all routing and policy configurations within each individual VSYS are correct, what is the probable cause of the failure?
- A . The intrazone-default policy is blocking the traffic because the two external zones are logically connected.
- B . A tunnel interface is required to connect the two virtual routers instead of using the next-vr option.
- C . The administrator did not configure Visible Virtual System.
- D . The external zones were not assigned the External zone type, preventing them from connecting.
What is the primary use case for the CN-Series NGFW?
- A . Protecting mobile users and remote branch offices (east-west)
- B . Providing security for physical data center perimeters (north-south)
- C . Securing traffic in and out of a public cloud VPC or VNet (north-south)
- D . Enforcing Security policies between pods in a Kubernetes environment (east-west)
Which PAN-OS method of mapping users to IP addresses is the most reliable?
- A . Port mapping
- B . GlobalProtect
- C . Syslog
- D . Server monitoring
An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chosen Ansible as its primary tool for this initiative.
How does Ansible enable an IaC model for managing this organization’s firewalls?
- A . By providing real-time threat intelligence feeds directly to the firewalls’ data plane
- B . By providing a graphical user interface that simplifies the creation of security policies through a drag-and-drop interface
- C . By automatically discovering and mapping all network devices to generate a baseline configuration
- D . By defining firewall configurations in playbooks that can be version-controlled and executed repeatedly
Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?
- A . It acts as a logging service for NGFW performance metrics.
- B . It orchestrates real-time traffic inspection for network segments.
- C . It provides Infrastructure-as-Code (IaC) to automate NGFW deployment.
- D . It manages threat intelligence data synchronization with NGFWs.