Palo Alto Networks NGFW-Engineer Exam Practice Test Instant Access

Question 1

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

AIsolated

BTransient

CExternal

DInternal

Answer : B

The Transient zone type is used to allow traffic between zones in different virtual systems (VSYS) on a Palo Alto Networks firewall without the traffic leaving the firewall. It provides a way for virtual systems to communicate with each other by acting as a temporary or intermediary zone. Traffic can pass through the firewall between the virtual systems without requiring physical interfaces or leaving the device.

Question 2

How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?

AThe route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected.

BIt will attempt to load balance the traffic across all routes.

CIt compares the administrative distance and chooses the one with the highest value.

DIt compares the administrative distance and chooses the one with the lowest value.

Answer : D

When a Palo Alto Networks firewall receives routes for the same destination from different routing protocols, it uses the administrative distance (AD) to determine the best route. The administrative distance is a measure of the trustworthiness of a route, with a lower value indicating higher preference. The firewall will choose the route with the lowest administrative distance to populate its forwarding table.

Question 3

A PA-Series firewall with all licensable features is being installed. The customer's Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

ADeploy the transparent proxy with Web Cache Communications Protocol (WCCP).

BDeploy the Next-Generation Firewalls as normal and install the User-ID agent.

CDeploy the Advanced URL Filtering license and captive portal.

DDeploy the explicit proxy with Kerberos authentication scheme.

Answer : D

In this scenario, the customer requires that users do not directly access websites and that a security device (the firewall) manages the connection, while also ensuring that there is authentication back to the Active Directory (AD) servers for all sessions. The explicit proxy with Kerberos authentication is the best solution because:

The explicit proxy allows the firewall to intercept user web traffic and manage the connections on behalf of users.

Kerberos authentication ensures that the user's identity is validated against the Active Directory servers before the session is allowed, fulfilling the authentication requirement.

Question 4

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?

AIt provides a web interface for managing NGFW hardware clusters.

BIt enables centralized log collection and correlation for NGFWs.

CIt facilitates dynamic updates to NGFW threat databases.

DIt automates NGFW policy updates and configurations through playbooks.

Answer : D

In a hybrid cloud deployment, Ansible is primarily used for automating configurations and policy updates on Palo Alto Networks Next-Generation Firewalls (NGFWs). Through the use of playbooks, Ansible can automate the process of deploying security policies, updating configurations, and managing the firewall's state, which enhances efficiency and consistency across multiple NGFWs in a large or hybrid cloud environment.

Question 5

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

AFor incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

BThe IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

CFor incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

DThe IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Answer : C, D

Separate rules must be created for each direction: Palo Alto Networks firewalls enforce security policies based on traffic direction. To allow bidirectional communication through the IPSec tunnel, two separate rules are required - one for incoming and one for outgoing traffic.

IKE negotiation and IPSec/ESP packets are denied by default: Palo Alto Networks firewalls use an interzone default deny policy, meaning that unless an explicit policy allows IKE (UDP 500/4500) and ESP (protocol 50) traffic, the firewall will block these packets, preventing tunnel establishment. Therefore, administrators must create explicit rules permitting IKE and IPSec/ESP traffic to the firewall's external interface.

Question 6

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

AFlood Protection

BProtocol Protection

CPacket-Based Attack Protection

DReconnaissance Protection

Answer : B

In the context of a Zone Protection profile, Protocol Protection is the section used to configure protections against activities such as spoofed IP addresses and split handshake session establishment attempts. These types of attacks typically involve manipulating protocol behaviors, such as IP address spoofing or session hijacking, and are mitigated by the Protocol Protection settings.

Question 7

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

ACreate one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.

BEstablish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region's firewalls, maintaining a strict one-to-one mapping of tenant to business unit.

CDisable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).

DDeploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Answer : B

To meet the requirement of data isolation for different regional business units while minimizing administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE) tenants for each business unit. Each tenant would be integrated with the relevant identity sources (such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity data for each region is kept isolated and only relevant user and group data is distributed to the respective regional firewalls.

By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization ensures that each region's firewall only receives the user and group data relevant to that region, thus meeting data sovereignty requirements and minimizing administrative complexity.

Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Exam Practice Test