Summer Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Palo Alto Networks Next-Generation Firewall Engineer Question and Answers

Palo Alto Networks Next-Generation Firewall Engineer

Last Update Jul 14, 2026
Total Questions : 125

We are offering FREE NGFW-Engineer Paloalto Networks exam questions. All you do is to just go and sign up. Give your details, prepare NGFW-Engineer free exam questions and then go for complete pool of Palo Alto Networks Next-Generation Firewall Engineer test questions that will help you more.

NGFW-Engineer pdf

NGFW-Engineer PDF

$36.75  $104.99
NGFW-Engineer Engine

NGFW-Engineer Testing Engine

$43.75  $124.99
NGFW-Engineer PDF + Engine

NGFW-Engineer PDF + Testing Engine

$57.75  $164.99
Questions 1

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.

Which approach ensures continuous, secure connectivity and consistent policy enforcement?

Options:

A.  

Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.

B.  

Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.

C.  

Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.

D.  

Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

Discussion 0
Questions 2

A network administrator needs to replace the default self-signed certificate on a firewall with one signed by the company's internal certificate authority (CA).

Which two firewall features would require this new certificate to be assigned via an SSL/TLS service profile? (Choose two.)

Options:

A.  

User-ID agent redistribution

B.  

RADIUS server authentication

C.  

Authentication portal

D.  

GlobalProtect gateway

Discussion 0
Questions 3

Which two zone types are valid when configuring a new security zone? (Choose two.)

Options:

A.  

Tunnel

B.  

Intrazone

C.  

Internal

D.  

Virtual Wire

Discussion 0
Questions 4

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

Options:

A.  

For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

B.  

The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

C.  

For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

D.  

The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Discussion 0
Questions 5

Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)

Options:

A.  

Select IKE v2, enable the Advanced Options PQ PPK, then set a 64+ character string for the post-quantum pre shared key.

B.  

Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate.

C.  

Select IKE v2 Preferred, enable the Advanced Options PQ KEM, then add one or more “Rounds.”

D.  

Select IKE v2, enable the Advanced Options PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one

or more “Rounds.”

Discussion 0
Questions 6

An engineer is creating an automation workflow. The first step is to deploy a new VM-Series firewall into a VMware vSphere environment, including its virtual machine (VM) configuration and network interfaces. The second step is to connect to the firewall and configure a complex set of Security policies and objects. The team uses both Terraform and Ansible.

For which part of this workflow would Terraform typically be used?

Options:

A.  

Pushing threat intelligence updates to the new firewall

B.  

Deploying the VM and associated network interfaces

C.  

Storing the credentials needed to access the vSphere environment

D.  

Applying the detailed Security policies and objects

Discussion 0
Questions 7

A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment. The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit.

Which two Security policy requirements must be included in the implementation plan? (Choose two answers)

Options:

A.  

The default interzone-default security policy is sufficient to allow the tunnel negotiation traffic between the firewall and the remote peer.

B.  

A pair of policies is required to control the flow of data traffic into and out of the security zone assigned to the tunnel interface.

C.  

A policy must explicitly permit only the IKE application between the external-facing zone and local zone.

D.  

A policy must explicitly permit the IPSec container application between the external-facing zone and local zone.

Discussion 0
Questions 8

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

Options:

A.  

NAT tables

B.  

User Authentication

C.  

GlobalProtect Gateways

D.  

GlobalProtect Portal

Discussion 0
Questions 9

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

Options:

A.  

They must be configured with auto-negotiate settings regardless of the port type.

B.  

They must all be either copper or fiber optic, however they can be different.

C.  

They must have the same link speed and transmission mode.

D.  

They must be the same media type.

Discussion 0
Questions 10

A network engineer has configured a PAN-OS firewall for client certificate authentication. The firewall has the corporate root CA certificate loaded. Client certificates are issued by an intermediate certificate authority (CA), which is signed by the root CA. However, when users attempt to connect, the authentication fails, and system logs indicate an "invalid certificate" error.

What is the most likely cause of this authentication failure?

Options:

A.  

Intermediate CA certificate has not been imported onto the firewall and added to the trust chain.

B.  

Client certificates were generated with an insecure key length (e.g., 1024-bit RSA).

C.  

Firewall clock is out of sync with the CA server by more than five minutes.

D.  

Online Certificate Status Protocol (OCSP) responder is unreachable, and no certificate revocation list (CRL) fallback is configured.

Discussion 0
Questions 11

An administrator configures a GlobalProtect gateway with split tunneling for network traffic based on an access route. Users report that public web browsing works, but they cannot resolve the names of internal servers. The administrator determines that all DNS queries are being sent to the public DNS servers configured on the users' endpoints.

Which GlobalProtect portal setting should be configured to resolve this issue?

Options:

A.  

Split tunneling for DNS and specify the internal corporate domains in the "Domain" list

B.  

DNS Proxy feature on the firewall to point clients to the gateway IP for DNS

C.  

"DNS Forwarding" option on the gateway's tunnel interface

D.  

NAT rule to allow DNS traffic from the GlobalProtect clients to the internal DNS servers

Discussion 0
Questions 12

After a recent security audit, a company is required to enforce more strict validation for all certificate-based authentication, including for GlobalProtect clients. An engineer observes the firewall accepting certificates from a recently compromised intermediate certificate authority (CA). The engineer needs to update the firewall configuration to use an Online Certificate Status Protocol (OCSP) responder to check for revoked certificates in real time.

In which configuration object would the engineer enable OCSP verification for the CAs used in the authentication process?

Options:

A.  

Authentication sequence

B.  

Decryption profile

C.  

SSL/TLS service profile

D.  

Certificate profile

Discussion 0
Questions 13

By default, which type of traffic is configured by service route configuration to use the management interface?

Options:

A.  

Security zone

B.  

IPSec tunnel

C.  

Virtual system (VSYS)

D.  

Autonomous Digital Experience Manager (ADEM)

Discussion 0
Questions 14

An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.

What is the effect of configuring this split DNS policy?

Options:

A.  

It provides selective DNS resolution, with specified domains resolved through the tunnel, optimizing performance for other lookups.

B.  

It blocks access to all domains that are not explicitly listed in the split tunnel configuration.

C.  

It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic.

D.  

It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection.

Discussion 0
Questions 15

When multiple routes have the same destination prefix, which attribute does the firewall use first to determine route preference?

Options:

A.  

Administrative distance

B.  

Route metric

C.  

Next-hop availability

D.  

Longest prefix match

Discussion 0
Questions 16

An engineer is required to configure a site-to-site VPN that will automatically fail over to a backup link if the primary tunnel goes down. The engineer also needs to exchange routes dynamically between the sites.

Which two features necessitate assigning an IP address to the tunnel interface? (Choose two.)

Options:

A.  

Tunnel monitoring

B.  

Proxy ID configuration

C.  

IKEv2 protocol support

D.  

Dynamic routing

Discussion 0
Questions 17

Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?

Options:

A.  

It acts as a logging service for NGFW performance metrics.

B.  

It orchestrates real-time traffic inspection for network segments.

C.  

It provides Infrastructure-as-Code (IaC) to automate NGFW deployment.

D.  

It manages threat intelligence data synchronization with NGFWs.

Discussion 0
Questions 18

A network engineer observes a pattern of anomalous traffic hitting an external-facing zone, including a high volume of TCP packets that are not part of a new session handshake (non-SYN), and a large number of ICMP fragments. The engineer decides to apply a Zone Protection profile to mitigate these potential threats.

Which protection type within the profile must be configured?

Options:

A.  

Protocol Protection

B.  

Flood Protection

C.  

Reconnaissance Protection

D.  

Packet-Based Attack Protection

Discussion 0
Questions 19

An administrator is configuring a GlobalProtect pre-logon VPN. The administrator has already imported the necessary internal certificate authority (CA) certificates for issuing machine certificates onto the firewall.

Which configuration is required on the GlobalProtect Gateway to enable pre-logon using these machine certificates?

Options:

A.  

Create a device-based Security policy that allows traffic from the pre-logon user to an internal management zone.

B.  

Create an authentication profile that points to the machine certificate's CA and assign it by using the client authentication settings of the GlobalProtect Portal.

C.  

Create a certificate profile that trusts the machine certificate's CA and assign it within the Gateway Agent -- > Client Authentication settings.

D.  

Configure the Gateway Agent -- > Tunnel Settings to use IPSec with machine certificate authentication for the pre- logon tunnel.

Discussion 0
Questions 20

An engineer is configuring a site-to-site IPSec VPN to a partner network. The IKE Gateway and IPSec tunnel configurations are complete, and the tunnel interface has been assigned to a security zone. However, the tunnel fails to establish, and no application traffic passes through it once it is up.

Which two Security policy configurations are required to allow tunnel establishment and data traffic flow in this scenario? (Choose two.)

Options:

A.  

A security rule is needed to allow IKE and IPSec traffic between the zone where the physical interface resides and the zone of the partner gateway.

B.  

A single bidirectional security rule must be configured to manage traffic flowing through the tunnel interface.

C.  

Security rules must be configured to permit application traffic from the local zone to the tunnel zone, and from the tunnel zone to the local zone.

D.  

An Application Override policy is needed to allow both the IKE negotiation and the encapsulated data traffic.

Discussion 0
Questions 21

An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.

What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?

Options:

A.  

Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.

B.  

Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.

C.  

Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.

D.  

Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.

Discussion 0
Questions 22

A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific list of local and remote IP address subnets that are permitted through the tunnel. The initial tunnel configuration on the PAN-OS firewall fails during the IKE Phase 2 exchange.

Which configuration step is essential to ensure compatibility with the policy-based Check Point gateway?

Options:

A.  

Define the local and remote subnets provided by the partner in the Proxy ID settings.

B.  

Create individual Security policies for each pair of local and remote subnets.

C.  

Assign a specific IP address to the tunnel interface to match the Check Point gateway.

D.  

Enable Dead Peer Detection (DPD) in the IKE Gateway configuration.

Discussion 0
Questions 23

An administrator needs to ensure that a firewall can download threat prevention and software updates, but the management port is on an isolated network without internet access.

Which service must be rerouted through a data plane interface using a service route to allow the firewall to download these updates?

Options:

A.  

External dynamic lists

B.  

GlobalProtect Clientless VPN

C.  

Palo Alto Networks Services

D.  

Syslog

Discussion 0
Questions 24

Which initial action is required to configure logical routers?

Options:

A.  

Changing the virtual router type from "default" to "advanced"

B.  

Activating an advanced routing subscription

C.  

Committing a new advanced routing software module

D.  

Checking "advanced routing" in general settings

Discussion 0
Questions 25

When configuring a physical interface on a Palo Alto Networks firewall, which IP-based service is only available if the interface is set to Layer 3 mode?

Options:

A.  

DDNS client

B.  

NetFlow export

C.  

QoS

D.  

Link monitoring

Discussion 0
Questions 26

A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

Options:

A.  

Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).

B.  

Deploy the Next-Generation Firewalls as normal and install the User-ID agent.

C.  

Deploy the Advanced URL Filtering license and captive portal.

D.  

Deploy the explicit proxy with Kerberos authentication scheme.

Discussion 0
Questions 27

An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.

What is the most likely cause of these widespread certificate errors?

Options:

A.  

The decryption policy is configured with a "no-decrypt" action, which causes browsers to reject the connection.

B.  

The external websites are using TLS 1.3, which cannot be decrypted by the firewall without a specific license.

C.  

The firewall's forward untrust certificate has expired, preventing it from identifying untrusted sites.

D.  

The firewall's self-signed CA certificate is not deployed to the trusted certificate store on client endpoints.

Discussion 0
Questions 28

In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

Options:

A.  

To forward packets to the HA peer during session setup and asymmetric traffic flow

B.  

To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information

C.  

To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair

D.  

To perform session cache synchronization among all HA peers having the same cluster ID

Discussion 0
Questions 29

An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability and avoiding any service disruption from a potentially problematic content update.

To align with Palo Alto Networks best practices for such environments, which threshold should the administrator set for content updates?

Options:

A.  

0 hours

B.  

12 hours

C.  

24 hours

D.  

48 hours

Discussion 0
Questions 30

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?

Options:

A.  

Restarting the local firewall, running a packet capture, accessing the firewall CLI

B.  

Modification of local security rules, modification of a Layer 3 interface, modification of the firewall device hostname

C.  

Modification of pre-security rules, modification of a virtual router, modification of an IKE Gateway Network Profile

D.  

Modification of post NAT rules, creation of new views on the local firewall ACC tab, creation of local custom reports

Discussion 0
Questions 31

What must be configured before a firewall administrator can define policy rules based on users and groups?

Options:

A.  

User Mapping profile

B.  

Authentication profile

C.  

Group mapping settings

D.  

LDAP Server profile

Discussion 0
Questions 32

An engineer is troubleshooting a failed inter-VSYS communication path between a DMZ-VSYS and an Internal-VSYS. The configuration includes separate virtual routers with next-vr static routes and appropriate Security policies within each VSYS allowing traffic to and from their external zones.

Given that all routing and policy configurations within each individual VSYS are correct, what is the probable cause of the failure?

Options:

A.  

The intrazone-default policy is blocking the traffic because the two external zones are logically connected.

B.  

A tunnel interface is required to connect the two virtual routers instead of using the next-vr option.

C.  

The administrator did not configure Visible Virtual System.

D.  

The external zones were not assigned the External zone type, preventing them from connecting.

Discussion 0
Questions 33

A Palo Alto Networks firewall has the following interfaces configured:

• ethernet1/1 (Layer 3)

• ethernet1/2 (TAP)

• ethernet1/3 (Layer 2)

• ethernet1/4 (virtual wire)

An administrator needs to create a link group to monitor upstream connectivity for high availability (HA) failover.

Which set of interfaces can be added to the link group?

Options:

A.  

ethernet1/1, ethernet1/2, ethernet1/4

B.  

ethernet1/1, ethernet1/2, ethernet1/3

C.  

ethernet1/2, ethernet1/3, ethernet1/4

D.  

ethernet1/1, ethernet1/3, ethernet1/4

Discussion 0
Questions 34

Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?

Options:

A.  

DDNS

B.  

Link Duplex

C.  

NetFlow

D.  

LLDP

Discussion 0
Questions 35

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

Options:

A.  

Isolated

B.  

Transient

C.  

External

D.  

Internal

Discussion 0
Questions 36

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

Options:

A.  

License

B.  

Plugin

C.  

Content update

D.  

General setting

Discussion 0
Questions 37

Which forwarding methods can be used on the Objects tab when configuring the Log Forwarding profile?

Options:

A.  

Panorama, syslog, email

B.  

Syslog, HTTP, NetFlow

C.  

Panorama, ADEM, syslog

D.  

SNMP, HTTP, RADIUS

Discussion 0