Palo Alto Networks NGFW-Engineer Exam Practice Test Instant Access

Question 1

An engineer is implementing a new rollout of SAML for administrator authentication across a company's Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML.

Which two actions meet the criteria? (Choose two.)

ACreate a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.

BCreate an authentication sequence that includes both the ''RADIUS'' Server Profile and ''SAML Identity Provider'' Server Profile to run the two services in tandem.

CCreate and apply an authentication profile with the ''SAML Identity Provider'' Server Profile.

DCreate and add the ''SAML Identity Provider'' Server Profile to the authentication profile for the ''RADIUS'' Server Profile.

Answer : B, D

To enable both RADIUS and SAML authentication to run in parallel during the transition period, you need to configure an authentication sequence and an authentication profile that includes both authentication methods.

By creating an authentication sequence that includes both RADIUS and SAML server profiles, the firewall will attempt authentication with RADIUS first and, if that fails, will fall back to SAML. This enables both authentication types to function simultaneously during the transition period.

You can also configure an authentication profile that includes both the RADIUS Server Profile and the SAML Identity Provider server profile. This setup allows the firewall to use both RADIUS and SAML for authentication requests, and it will check both authentication methods in parallel.

Question 2

During an upgrade to the routing infrastructure in a customer environment, the network administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall.

Which firewall models support this configuration?

APA-5280, PA-7080, PA-3250, VM-Series

BPA-455, VM-Series, PA-1410, PA-5450

CPA-3260, PA-5410, PA-850, PA-460

DPA-7050, PA-1420, VM-Series, CN-Series

Answer : C

The Advanced Routing Engine (ARE) is supported on Palo Alto Networks firewalls that utilize the PAN-OS 11.0+ software and have the required hardware architecture. The supported models include PA-3200 Series, PA-5400 Series, PA-800 Series, and PA-400 Series. These models provide enhanced routing capabilities, including BGP, OSPF, and more complex routing policies.

PA-3260 and PA-5410 are part of the PA-3200 and PA-5400 Series, which are known to support ARE.

PA-850 and PA-460 are within the PA-800 and PA-400 Series, which also support ARE

Question 3

Which forwarding methods can be used on the Objects tab when configuring the Log Forwarding profile?

APanorama, syslog, email

BSyslog, HTTP, NetFlow

CPanorama, ADEM, syslog

DSNMP, HTTP, RADIUS

Answer : A

When configuring the Log Forwarding profile on a Palo Alto Networks firewall, the forwarding methods available include:

Panorama: For forwarding logs to a Panorama management system.

Syslog: For forwarding logs to a syslog server.

Email: For sending logs via email.

Question 4

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

AFor incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

BThe IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

CFor incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

DThe IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Answer : C, D

Separate rules must be created for each direction: Palo Alto Networks firewalls enforce security policies based on traffic direction. To allow bidirectional communication through the IPSec tunnel, two separate rules are required - one for incoming and one for outgoing traffic.

IKE negotiation and IPSec/ESP packets are denied by default: Palo Alto Networks firewalls use an interzone default deny policy, meaning that unless an explicit policy allows IKE (UDP 500/4500) and ESP (protocol 50) traffic, the firewall will block these packets, preventing tunnel establishment. Therefore, administrators must create explicit rules permitting IKE and IPSec/ESP traffic to the firewall's external interface.

Question 5

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region's firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

ACreate one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.

BEstablish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region's firewalls, maintaining a strict one-to-one mapping of tenant to business unit.

CDisable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).

DDeploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Answer : B

To meet the requirement of data isolation for different regional business units while minimizing administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE) tenants for each business unit. Each tenant would be integrated with the relevant identity sources (such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity data for each region is kept isolated and only relevant user and group data is distributed to the respective regional firewalls.

By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization ensures that each region's firewall only receives the user and group data relevant to that region, thus meeting data sovereignty requirements and minimizing administrative complexity.

Question 6

For which two purposes is an IP address configured on a tunnel interface? (Choose two.)

AUse of dynamic routing protocols

BTunnel monitoring

CUse of peer IP

DRedistribution of User-ID

Answer : A, B

Use of dynamic routing protocols: An IP address is needed on the tunnel interface to participate in dynamic routing protocols (like OSPF, BGP, etc.) over the tunnel. This allows the firewall to advertise routes and receive updates over the tunnel.

Tunnel monitoring: The IP address on the tunnel interface can also be used for monitoring the tunnel's status. Tunnel monitoring (such as IPSec tunnel monitoring) requires an IP address on the tunnel interface to check the health and availability of the tunnel.

Question 7

In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

ATo forward packets to the HA peer during session setup and asymmetric traffic flow

BTo exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information

CTo synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair

DTo perform session cache synchronization among all HA peers having the same cluster ID

Answer : D

In an active/active HA configuration with two PA-Series firewalls, the HA3 interface is used primarily for the exchange of HA state information between the firewalls. This includes:

Hellos and heartbeats to monitor the status of the HA peer.

Synchronization of management plane data, which includes critical routing and User-ID information.

Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Exam Practice Test