Palo Alto Networks NGFW-Engineer Exam Questions Instant Access

Question 1

Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?

ADDNS

BLink Duplex

CNetFlow

DLLDP

Answer : C

NetFlow is a Layer 3 (network layer) protocol that collects and monitors IP traffic flows. It is typically configured on Layer 3 interfaces because it relies on IP information for traffic flow analysis, which is not available on Layer 2 interfaces. Layer 2 interfaces handle frames within the local network, and they don't have IP-related details that NetFlow uses to generate traffic statistics.

Question 2

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?

AIt provides a web interface for managing NGFW hardware clusters.

BIt enables centralized log collection and correlation for NGFWs.

CIt facilitates dynamic updates to NGFW threat databases.

DIt automates NGFW policy updates and configurations through playbooks.

Answer : D

In a hybrid cloud deployment, Ansible is primarily used for automating configurations and policy updates on Palo Alto Networks Next-Generation Firewalls (NGFWs). Through the use of playbooks, Ansible can automate the process of deploying security policies, updating configurations, and managing the firewall's state, which enhances efficiency and consistency across multiple NGFWs in a large or hybrid cloud environment.

Question 3

In a Palo Alto Networks environment, GlobalProtect has been enabled using certificate-based authentication for both users and devices. To ensure proper validation of certificates, one or more certificate profiles are configured.

What function do certificate profiles serve in this context?

AThey store private keys for users and devices, effectively allowing the firewall to issue or reissue certificates if the primary Certificate Authority (CA) becomes unavailable, providing a built-in fallback CA to maintain continuous certificate issuance and authentication.

BThey define trust anchors (root / intermediate Certificate Authorities (CAs)), specify revocation checks (CRL/OCSP), and map certificate attributes (e.g., CN) for user or device authentication.

CThey allow the firewall to bypass certificate validation entirely, focusing only on username / password-based authentication.

DThey provide a one-click mechanism to distribute certificates to all endpoints without relying on external enrollment methods.

Answer : B

In the context of GlobalProtect with certificate-based authentication, certificate profiles are used to ensure proper validation of the certificates. They perform the following functions:

Define trust anchors, which are the root and intermediate Certificate Authorities (CAs) that the firewall trusts to authenticate certificates.

Specify revocation checks, such as CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol), to ensure that the certificates being used have not been revoked.

Map certificate attributes, such as the Common Name (CN), which helps in authenticating users and devices based on their certificates.

Question 4

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

ALicense

BPlugin

CContent update

DGeneral setting

Answer : A

To enable the Advanced Routing Engine (ARE) on a Palo Alto Networks firewall, the license for the ARE must be applied first. Without the proper license, the firewall cannot activate and use the advanced routing features provided by ARE, such as support for more complex routing protocols (e.g., BGP, OSPF, etc.).

Once the license is applied and validated, the routing engine can be configured, allowing the creation of logical routers and routing policies.

Question 5

What is a result of enabling split tunneling in the GlobalProtect portal configuration with the ''Both Network Traffic and DNS'' option?

AIt specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN.

BIt allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN.

Clt allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names.

DIt specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.

Answer : D

When split tunneling is enabled with the 'Both Network Traffic and DNS' option in the GlobalProtect portal configuration, it allows the firewall to control which traffic is sent over the VPN tunnel and which is not. Specifically, it determines which domains are resolved by the VPN-assigned DNS servers (for domains requiring VPN access) and which are resolved by local DNS servers (for domains that can be accessed without the VPN tunnel).

Question 6

An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all interfaces must be assigned to the same VLAN. During initial testing, it is reported that clients located behind the various interfaces cannot communicate with each other.

Which action taken by the engineer will resolve this issue?

AConfigure each interface to belong to the same Layer 2 zone and enable IP routing between them.

BAssign each interface to the appropriate Layer 2 zone and configure a policy that allows traffic within the VLAN.

CAssign each interface to the appropriate Layer 2 zone and configure Security policies for interfaces not assigned to the same zone.

DEnable IP routing between the interfaces and configure a Security policy to allow traffic between interfaces within the VLAN.

Answer : B

In a Layer 2 configuration, interfaces are typically grouped into the same Layer 2 zone. When the interfaces are assigned to the same VLAN, the firewall will treat them as part of the same broadcast domain.

In a Layer 2 setup, interfaces must be in the same Layer 2 zone to allow the traffic within the same VLAN to pass. Additionally, a security policy must be configured to allow traffic within this VLAN or zone. This will resolve the issue by ensuring that traffic is permitted between clients behind different interfaces assigned to the same VLAN.

Question 7

When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?

AService graph

BAnsible automation modules

CPanorama role-based access control

DCN-Series firewalls

Answer : D

When integrating Kubernetes with Palo Alto Networks NGFWs, the CN-Series firewalls are specifically designed to secure traffic between microservices in containerized environments. These firewalls provide advanced security features like Application Identification (App-ID), URL filtering, and Threat Prevention to secure communication between containers and microservices within a Kubernetes environment.

Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Exam Questions