NGFW-ENGINEER Exam Questions
126 real NGFW-ENGINEER exam questions with expert-verified answers and explanations. Page 2 of 3.
- Question #51Routing
How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?
RoutingAdministrative DistancePath SelectionPalo Alto Networks Firewalls - Question #52Identity and Access Management
A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hier...
Certificate AuthenticationPKI IntegrationPanorama ManagementOCSP - Question #53Routing and Network Services
What is a key difference between OSPF and BGP when used in a Palo Alto Networks firewall?
OSPFBGPRouting ProtocolsNetwork Routing Concepts - Question #54VPN Configuration
Which protocol and port number are used by default for IKE Phase 1 negotiations in an IPSec VPN?
IPSec VPNIKE Phase 1UDP 500Network Protocols - Question #55Secure Connectivity and Authentication
What is the function of a Certificate Revocation List (CRL) in a PKI?
CRLPKICertificate ManagementSecurity Concepts - Question #56Configure Routing
In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?
Advanced Routing EngineLogical RouterPAN-OS ConfigurationGeneral Settings - Question #57Configure Network Interfaces and Zones
Which two zone types are valid when configuring a new security zone? (Choose two.)
Security ZonesNetwork InterfacesPalo Alto NGFWFirewall Configuration - Question #58Configure and Manage GlobalProtect
An organization has configured GlobalProtect in a hybrid authentication model using both certificate-based authentication for the pre-logon stage and SAML-based multi-factor authen...
GlobalProtectHybrid AuthenticationPre-logonSAML MFA - Question #59Logging and Reporting
An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, t...
Strata Logging ServiceLog ForwardingPanoramaDuplicate Logging - Question #60Implement Security Policies
An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all interfaces must be assigned to the same VLAN. During initial testing, it is re...
Layer 2 InterfacesSecurity ZonesSecurity PoliciesIntra-zone Communication - Question #61Application Identification and Control
In an enterprise network, security administrators want to control traffic based on application behavior rather than only using IP addresses and TCP/UDP ports. Which NGFW capability...
Application IdentificationNGFW CapabilitiesDeep Packet InspectionTraffic Control - Question #62Application Identification and Traffic Visibility
A company deploys an NGFW and notices that several applications running over HTTPS (TCP 443) cannot be accurately identified. What is the MOST likely reason for this behavior?
NGFWApplication IdentificationSSL/TLS DecryptionHTTPS - Question #63NGFW Threat Prevention
An organization wants to protect its internal network from previously unknown malware that does not match any existing signatures. Which NGFW feature BEST addresses this requiremen...
Advanced Threat ProtectionMalware ProtectionSandboxZero-day threats - Question #64User Identification and Identity Integration
A security engineer creates a policy allowing only members of the 揊inance?Active Directory group to access a cloud-based accounting application. Which NGFW capability makes this po...
User-IDIdentity-based policyActive Directory integrationGroup-based access control - Question #65NGFW Performance Management
After enabling multiple security profiles such as IPS, antivirus, and URL filtering on an NGFW, users report degraded network performance. Which factor is MOST likely causing the i...
NGFW PerformanceDeep InspectionSecurity ProfilesCPU Utilization - Question #66NGFW Deployment
An NGFW is deployed inline to inspect traffic without requiring any changes to existing IP addressing or routing configurations. Which deployment mode is being used?
NGFW Deployment ModesVirtual Wire ModeTransparent FirewallNetwork Integration - Question #67Application Identification and Control
A security team wants to block peer-to-peer file sharing applications even when those applications attempt to evade detection by using non-standard ports. Which NGFW capability ena...
Application IdentificationNGFW CapabilitiesTraffic ClassificationDeep Packet Inspection - Question #68NGFW Security Features and Capabilities
Why is SSL/TLS decryption considered critical for effective NGFW security inspection in modern networks?
SSL/TLS DecryptionNGFW Security InspectionEncrypted TrafficNetwork Security - Question #69Threat Prevention and Web Filtering
An NGFW policy allows general web browsing but blocks access to known malicious or high-risk websites. Which NGFW security function is MOST directly responsible for this behavior?
URL FilteringWeb SecurityThreat PreventionSecurity Policy - Question #70NGFW Core Concepts and Capabilities
An organization requires a single security platform that integrates firewalling, VPN, intrusion prevention, and malware protection to simplify operations. Which security concept BE...
Unified Threat ManagementNext-Generation FirewallIntegrated SecuritySecurity Concepts - Question #71VM-Series High Availability in Azure
An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of a...
Azure NetworkingHigh Availability (HA)VM-Series DeploymentAvailability Zones - Question #72Configure Logging and Monitoring
When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?
Log ForwardingPAN-OS LoggingSecurity ManagementLogging Profiles - Question #73Configure SSL/TLS Decryption
A company is enabling SSL Forward Proxy to inspect encrypted traffic. A security engineer generates a new certificate on the firewall and flags it with the "Forward Trust" certific...
SSL DecryptionForward ProxyCertificate ManagementClient Trust - Question #74Implement Site-to-Site VPNs
An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface. Which two abilities are enabled by this specific configuration step? (Ch...
IPSec VPNTunnel InterfaceDynamic RoutingVPN Monitoring - Question #75Cloud Deployment and Automation
A DevOps team is building a repeatable process for deploying new Palo Alto Networks VM-Series firewalls. The entire infrastructure, including virtual networks, subnets, and the fir...
Infrastructure as CodeTerraformVM-Series DeploymentAutomation - Question #76Virtual Systems and Inter-VSYS Communication
A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required. What are two fundamental...
Virtual Systems (VSYS)External ZonesInter-VSYS RoutingPalo Alto Firewall - Question #77Threat Prevention
A network engineer observes a pattern of anomalous traffic hitting an external-facing zone, including a high volume of TCP packets that are not part of a new session handshake (non...
Zone ProtectionPacket-Based AttacksNGFW ConfigurationNetwork Threat Mitigation - Question #78Implement and Configure GlobalProtect Remote Access VPN
An administrator is configuring a GlobalProtect pre-logon VPN. The administrator has already imported the necessary internal certificate authority (CA) certificates for issuing mac...
GlobalProtectVPNMachine CertificatesCertificate Profiles - Question #79Authentication and User-ID
A network administrator needs to replace the default self-signed certificate on a firewall with one signed by the company's internal certificate authority (CA). Which two firewall...
Certificate ManagementSSL/TLS Service ProfilesAuthentication PortalUser-ID - Question #80VPNs
A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific l...
VPN ConfigurationIPSec InteroperabilityProxy IDIKE Phase 2 Troubleshooting - Question #81Configure and Troubleshoot User-ID
Which method creates the most reliable user-to-IP mapping due to being based on a direct authentication from the user's device to the firewall?
User-IDAuthentication MethodsUser-to-IP MappingCaptive Portal - Question #82GlobalProtect Configuration
An administrator configures a GlobalProtect gateway with split tunneling for network traffic based on an access route. Users report that public web browsing works, but they cannot...
GlobalProtectSplit TunnelingDNS ConfigurationRemote Access VPN - Question #83Implementing Routing
Which initial action is required to configure logical routers?
Advanced RoutingLogical Router SetupConfiguration PrerequisitesNGFW System Settings - Question #84High Availability Management
A network security engineer at a 24/7 online retailer is upgrading an active/passive high availability (HA) cluster of PAN-OS firewalls. The primary goal is to perform the upgrade...
High Availability (HA)PAN-OSSoftware UpgradeZero Downtime - Question #85Implementing User-ID and Authentication
A government agency needs to ensure that all user web access is explicitly mediated and authenticated. The agency has the following requirements: - Client browsers must be manually...
Explicit ProxyKerberosSingle Sign-On (SSO)Active Directory Integration - Question #86Firewall Device Management
A network security engineer is reviewing the dynamic update settings for a fleet of firewalls in a financial institution that has a policy prioritizing operational stability above...
Dynamic UpdatesContent Update ThresholdBest PracticesOperational Stability - Question #87Configure and Manage Security Policies
What is the correct sequence of evaluation for Security policy rulebases?
Security PolicyRulebase Evaluation OrderPanoramaPolicy Hierarchy - Question #88Device Management
An administrator needs to ensure that a firewall can download threat prevention and software updates, but the management port is on an isolated network without internet access. Whi...
Service RoutesFirewall UpdatesDevice ManagementPalo Alto Networks Services - Question #89Automation and Orchestration
An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chos...
Infrastructure as Code (IaC)AnsibleNetwork AutomationConfiguration Management - Question #90User-ID and Identity-Based Policy
A network security engineer wants to create Security policy rules that allow or deny traffic based on a user's department, which corresponds to groups in the company's Active Direc...
User-IDActive Directory IntegrationLDAPSecurity Policy - Question #91Virtual Systems (VSYS) Configuration and Management
When an engineer creates a new VSYS on a supported firewall platform, which resource can be explicitly limited in the VSYS configuration to control its capacity?
Virtual Systems (VSYS)Resource ManagementNAT RulesFirewall Configuration - Question #92User-ID and Identity Management
A large organization has separate production and development environments, each with its own set of firewalls managed by Panorama. The organization uses Cloud Identity Engine (CIE)...
Cloud Identity Engine (CIE)Identity ManagementUser-IDIdentity Segmentation - Question #93Centralized Firewall Management with Panorama
An administrator must perform several actions on a fleet of firewalls from a central Panorama instance. To maintain efficiency, the administrator wants to only perform actions that...
PanoramaCentralized ManagementDevice GroupsSecurity Policies - Question #94High Availability (HA) Configuration
A network administrator is configuring an Aggregate Ethernet (AE) interface on an active/passive high availability (HA) pair. To reduce network downtime during a failover, the admi...
LACPHigh AvailabilityAggregate EthernetFailover Optimization - Question #95Initial Device Configuration
A firewall administrator needs to configure a new Palo Alto Networks firewall so that its management interface automatically obtains an IP address, netmask, and default gateway fro...
Palo Alto CLIManagement InterfaceDHCP ConfigurationInitial Firewall Setup - Question #96Understanding Firewall Routing Logic and Packet Forwarding Decisions
When multiple routes have the same destination prefix, which attribute does the firewall use first to determine route preference?
RoutingLongest Prefix MatchRoute PreferencePacket Forwarding - Question #97Cloud Security Deployment and Architecture
An organization must secure its AWS and Azure environments using a managed Palo Alto Networks solution, and all policies must be synchronized from an existing Panorama deployment....
Cloud NGFWAWS SecurityAzure SecurityHub-and-Spoke - Question #98Deployment Options for Palo Alto Networks NGFW
A cloud security team wants to extend its existing Palo Alto Networks Security policies into the organization's Kubernetes environments. The team requires an NGFW solution that can...
Container SecurityKubernetes SecurityNGFW Form FactorsPalo Alto Networks CN-Series - Question #99VPN Implementation and Security Policy Management
A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment. The plan must include all necessary Security policy...
IPSec VPNSecurity PoliciesIKEData Transit - Question #100Virtual Systems Management
A network security engineer needs to permit traffic between two distinct VSYS that reside on one Palo Alto Networks firewall. This traffic will not egress the firewall to an extern...
Virtual Systems (VSYS)Inter-VSYS RoutingSecurity ZonesNetwork Segmentation