Palo Alto Networks NGFW-Engineer Exam Practice Test Instant Access

Question 1

A PA-Series firewall with all licensable features is being installed. The customer's Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

ADeploy the transparent proxy with Web Cache Communications Protocol (WCCP).

BDeploy the Next-Generation Firewalls as normal and install the User-ID agent.

CDeploy the Advanced URL Filtering license and captive portal.

DDeploy the explicit proxy with Kerberos authentication scheme.

Answer : D

In this scenario, the customer requires that users do not directly access websites and that a security device (the firewall) manages the connection, while also ensuring that there is authentication back to the Active Directory (AD) servers for all sessions. The explicit proxy with Kerberos authentication is the best solution because:

The explicit proxy allows the firewall to intercept user web traffic and manage the connections on behalf of users.

Kerberos authentication ensures that the user's identity is validated against the Active Directory servers before the session is allowed, fulfilling the authentication requirement.

Question 2

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

ANAT tables

BUser Authentication

CGlobalProtect Gateways

DGlobalProtect Portal

Answer : C, D

Palo Alto Networks Next-Generation Firewalls (NGFWs) use SSL/TLS profiles to secure connections for services such as GlobalProtect Gateways and GlobalProtect Portals. These profiles are used to manage the SSL/TLS encryption and decryption for secure communication between the firewall and clients (such as VPN clients for GlobalProtect). This helps ensure the confidentiality and integrity of the data during transmission.

Question 3

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

AFlood Protection

BProtocol Protection

CPacket-Based Attack Protection

DReconnaissance Protection

Answer : B

In the context of a Zone Protection profile, Protocol Protection is the section used to configure protections against activities such as spoofed IP addresses and split handshake session establishment attempts. These types of attacks typically involve manipulating protocol behaviors, such as IP address spoofing or session hijacking, and are mitigated by the Protocol Protection settings.

Question 4

Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?

AICPU

BSessions limit

CMemory

DSecurity profile limit

Answer : B

When configuring a new firewall virtual system (VSYS) on a Palo Alto Networks firewall, one of the resources that can be assigned is the sessions limit. This setting allows the administrator to control the number of active sessions that can be handled by the VSYS, ensuring that each virtual system has an appropriate allocation of resources based on its needs.

Question 5

How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?

AThe route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected.

BIt will attempt to load balance the traffic across all routes.

CIt compares the administrative distance and chooses the one with the highest value.

DIt compares the administrative distance and chooses the one with the lowest value.

Answer : D

When a Palo Alto Networks firewall receives routes for the same destination from different routing protocols, it uses the administrative distance (AD) to determine the best route. The administrative distance is a measure of the trustworthiness of a route, with a lower value indicating higher preference. The firewall will choose the route with the lowest administrative distance to populate its forwarding table.

Question 6

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?

AIt provides a web interface for managing NGFW hardware clusters.

BIt enables centralized log collection and correlation for NGFWs.

CIt facilitates dynamic updates to NGFW threat databases.

DIt automates NGFW policy updates and configurations through playbooks.

Answer : D

In a hybrid cloud deployment, Ansible is primarily used for automating configurations and policy updates on Palo Alto Networks Next-Generation Firewalls (NGFWs). Through the use of playbooks, Ansible can automate the process of deploying security policies, updating configurations, and managing the firewall's state, which enhances efficiency and consistency across multiple NGFWs in a large or hybrid cloud environment.

Question 7

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

AIsolated

BTransient

CExternal

DInternal

Answer : B

The Transient zone type is used to allow traffic between zones in different virtual systems (VSYS) on a Palo Alto Networks firewall without the traffic leaving the firewall. It provides a way for virtual systems to communicate with each other by acting as a temporary or intermediary zone. Traffic can pass through the firewall between the virtual systems without requiring physical interfaces or leaving the device.

Palo Alto Networks NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer Exam Practice Test