Palo Alto Networks NGFW-Engineer Exam Practice Test Instant Access

Question 1

An engineer at a managed services provider is updating an application that allows its customers to request firewall changes to also manage SD-WAN. The application will be able to make any approved changes directly to devices via API.

What is a requirement for the application to create SD-WAN interfaces?

AREST API's ''sdwanInterfaceprofiles'' parameter on a Panorama device

BREST API's ''sdwanInterfaces'' parameter on a firewall device

CXML API's ''sdwanprofiles/interfaces'' parameter on a Panorama device

DXML API's ''InterfaceProfiles/sdwan'' parameter on a firewall device

Answer : B

To create SD-WAN interfaces through an API, the correct approach is to use the REST API's 'sdwanInterfaces' parameter on a firewall device. This parameter allows you to configure SD-WAN interfaces directly on the firewall devices via API, ensuring that the required interfaces are set up and managed for SD-WAN functionality.

Question 2

A PA-Series firewall with all licensable features is being installed. The customer's Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

ADeploy the transparent proxy with Web Cache Communications Protocol (WCCP).

BDeploy the Next-Generation Firewalls as normal and install the User-ID agent.

CDeploy the Advanced URL Filtering license and captive portal.

DDeploy the explicit proxy with Kerberos authentication scheme.

Answer : D

In this scenario, the customer requires that users do not directly access websites and that a security device (the firewall) manages the connection, while also ensuring that there is authentication back to the Active Directory (AD) servers for all sessions. The explicit proxy with Kerberos authentication is the best solution because:

The explicit proxy allows the firewall to intercept user web traffic and manage the connections on behalf of users.

Kerberos authentication ensures that the user's identity is validated against the Active Directory servers before the session is allowed, fulfilling the authentication requirement.

Question 3

For which two purposes is an IP address configured on a tunnel interface? (Choose two.)

AUse of dynamic routing protocols

BTunnel monitoring

CUse of peer IP

DRedistribution of User-ID

Answer : A, B

Use of dynamic routing protocols: An IP address is needed on the tunnel interface to participate in dynamic routing protocols (like OSPF, BGP, etc.) over the tunnel. This allows the firewall to advertise routes and receive updates over the tunnel.

Tunnel monitoring: The IP address on the tunnel interface can also be used for monitoring the tunnel's status. Tunnel monitoring (such as IPSec tunnel monitoring) requires an IP address on the tunnel interface to check the health and availability of the tunnel.

Question 4

According to dynamic updates best practices, what is the recommended threshold value for content updates in a mission- critical network?

A8 hours

B16 hours

C32 hours

D48 hours

Answer : A

For a mission-critical network, it is recommended to configure the content update threshold to 8 hours. This ensures that the network is protected with the latest threat intelligence, updates to signatures, and other critical content, minimizing the exposure to newly discovered vulnerabilities and threats.

Regular content updates are crucial in mission-critical environments to ensure the firewall is up-to-date with the latest protections. 8 hours is considered an optimal balance between timely updates and network performance.

Question 5

What must be configured before a firewall administrator can define policy rules based on users and groups?

AUser Mapping profile

BAuthentication profile

CGroup mapping settings

DLDAP Server profile

Answer : C

Before a firewall administrator can define policy rules based on users and groups, the Group Mapping settings must be configured. These settings enable the firewall to map users to their respective Active Directory (AD) groups. This mapping allows the firewall to use user and group information to create policy rules based on group membership.

Question 6

How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?

AThe route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected.

BIt will attempt to load balance the traffic across all routes.

CIt compares the administrative distance and chooses the one with the highest value.

DIt compares the administrative distance and chooses the one with the lowest value.

Answer : D

When a Palo Alto Networks firewall receives routes for the same destination from different routing protocols, it uses the administrative distance (AD) to determine the best route. The administrative distance is a measure of the trustworthiness of a route, with a lower value indicating higher preference. The firewall will choose the route with the lowest administrative distance to populate its forwarding table.

Question 7

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

AFor incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

BThe IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

CFor incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

DThe IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Answer : C, D

Separate rules must be created for each direction: Palo Alto Networks firewalls enforce security policies based on traffic direction. To allow bidirectional communication through the IPSec tunnel, two separate rules are required - one for incoming and one for outgoing traffic.

IKE negotiation and IPSec/ESP packets are denied by default: Palo Alto Networks firewalls use an interzone default deny policy, meaning that unless an explicit policy allows IKE (UDP 500/4500) and ESP (protocol 50) traffic, the firewall will block these packets, preventing tunnel establishment. Therefore, administrators must create explicit rules permitting IKE and IPSec/ESP traffic to the firewall's external interface.

Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Exam Practice Test