NGFW-ENGINEER Exam Questions
126 real NGFW-ENGINEER exam questions with expert-verified answers and explanations. Page 3 of 3.
- Question #101Firewall Interface Configuration
What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?
Virtual WireInterface ConfigurationLink SpeedTransmission Mode - Question #102Network Interface Configuration and Features
When configuring a physical interface on a Palo Alto Networks firewall, which IP-based service is only available if the interface is set to Layer 3 mode?
Palo Alto Networks interfacesInterface modes (L2/L3)NetFlow/IPFIXNetwork monitoring - Question #103Network Design and Redundancy
A network engineer observes that after a primary link recovers, the firewall immediately switches traffic back from the backup static route to the primary static route. The enginee...
Static RoutingPath MonitoringNetwork RedundancyPreemption - Question #104High Availability Configuration
A Palo Alto Networks firewall has the following interfaces configured: - ethernet1/1 (Layer 3) - ethernet1/2 (TAP) - ethernet1/3 (Layer 2) - ethernet1/4 (virtual wire) An administr...
HA Link GroupsInterface TypesPalo Alto Networks HAFailover Monitoring - Question #105User-ID and Authentication
An administrator is designing a public key infrastructure (PKI) integration for a large-scale deployment with thousands of users authenticating via client certificates. A key desig...
PKICertificate RevocationOCSPCRLs - Question #106Deploying and Managing VM-Series in AWS
An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provi...
AWS ArchitectureVM-Series DeploymentCloud ScalabilityNetwork Security - Question #107Configure Firewall Management and Security Services
Which two services are configured by applying an SSL/TLS service profile? (Choose two.)
SSL/TLS Service ProfileGlobalProtectFirewall ManagementPalo Alto Networks - Question #108Logging and Reporting
A firewall administrator uses Panorama to manage a fleet of firewalls. After successfully onboarding the firewalls to Strata Logging Service and enabling cloud logging via a templa...
PanoramaStrata Logging ServiceCloud LoggingLog Forwarding - Question #109Virtualization and Resource Management
What is a valid configurable limit for setting resource quotas when defining a new VSYS on a Palo Alto Networks firewall?
VSYSResource ManagementPalo Alto ConfigurationQuota Limits - Question #110User-ID Configuration and Management
When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created thro...
User-IDAuthenticationIdentity MappingPalo Alto Networks - Question #111Configure and Manage High Availability (HA)
After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a 30-45 second delay before traffic started flowing through a Link Aggregation C...
High AvailabilityLACPFailoverNetwork Convergence - Question #112Automation and Orchestration
An engineer is creating an automation workflow. The first step is to deploy a new VM-Series firewall into a VMware vSphere environment, including its virtual machine (VM) configura...
TerraformInfrastructure as CodeVM-Series DeploymentvSphere Integration - Question #113User-ID and Identity Management
An organization uses Cloud Identity Engine (CIE) to gather user information from its on-premises Active Directory (AD) for employees and a separate Azure AD for external partners....
Cloud Identity EngineCIE SegmentsUser-IDIdentity-based Security - Question #114Network Configuration
What are two valid zone types that can be selected from the zone configuration menu, per Palo Alto Networks best practices? (Choose two.)
Zone ConfigurationLayer 2 ZonesLayer 3 ZonesFirewall Network Basics - Question #115Dynamic Updates Configuration and Management
An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability...
Dynamic UpdatesContent Update ThresholdsBest PracticesSystem Stability - Question #116GlobalProtect Configuration
An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved...
GlobalProtectSplit DNSVPNSplit Tunneling - Question #117Automation and Orchestration
An automation engineer is developing a Python script to standardize SD-WAN deployments across multiple customer tenants in Panorama. A key requirement is to programmatically create...
SD-WAN AutomationREST APIPanorama ManagementPath Quality Profiles - Question #118Logging and Reporting
A security administrator is creating a new custom report to get a consolidated view of network events and needs to select a database to query for the report data. Which valid set o...
LoggingReportingLog TypesCustom Reports - Question #119Implementing Security Policies and Features
An organization's Security policy states that for all outbound web traffic, the TCP session to the external web server must be established by the firewall, not the user's workstati...
Explicit ProxyWeb SecurityUser AuthenticationPolicy Enforcement - Question #120Secure Connectivity
An administrator is troubleshooting a newly configured site-to-site VPN between a PAN-OS firewall and a third-party policy-based VPN gateway. The tunnel allows traffic between the...
Site-to-site VPNPolicy-based VPNProxy IDTroubleshooting - Question #121GlobalProtect Configuration
An organization needs a GlobalProtect solution that meets two key requirements: - IT administrators must be able to run scripts and push updates to endpoints before a user logs in....
GlobalProtectAuthenticationSAMLCertificate-based Authentication - Question #122Deploying Containerized NGFW
What is the primary use case for the CN-Series NGFW?
Palo Alto Networks CN-SeriesContainer SecurityKubernetes - Question #123Authentication Management
After a recent security audit, a company is required to enforce more strict validation for all certificate-based authentication, including for GlobalProtect clients. An engineer ob...
OCSPCertificate ProfilesGlobalProtectAuthentication - Question #124Configure and Manage Firewall Security Features
An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report...
SSL DecryptionCertificate TrustSelf-signed CAForward Proxy - Question #125VPN and Security Policy Configuration
An engineer is configuring a site-to-site IPSec VPN to a partner network. The IKE Gateway and IPSec tunnel configurations are complete, and the tunnel interface has been assigned t...
VPNIPSecSecurity PolicyFirewall Zones - Question #126Configure and Troubleshoot Routing
A network administrator is configuring path monitoring for a primary static route to ensure immediate failback from a backup route. The administrator wants the primary route to bec...
Path MonitoringStatic RoutesFailbackPreemptive Hold Time