Palo Alto Networks NGFW-Engineer Exam Questions Instant Access

Question 1

Which statement applies to the relationship between Panorama-pushed Security policy and local firewall Security policy?

AWhen a policy match is found in a local firewall policy, if any Panorama shared post-rule is configured, it will still be evaluated.

BLocal firewall rules are evaluated after Panorama pre-rules and before Panorama post-rules.

CPanorama post-rules can be configured to be evaluated before local firewall policy for the purpose of troubleshooting.

DThe order of policy evaluation can be configured differently in different device groups.

Answer : B

Local firewall rules are evaluated after Panorama pre-rules (those applied before the firewall's local policies) and before Panorama post-rules (those applied after the firewall's local policies). This ensures that the local firewall rules do not override the central Panorama policy and are only applied in the appropriate order within the policy evaluation sequence.

Question 2

Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?

ATraffic, User-ID, URL

BTraffic, threat, data filtering, User-ID

CGlobalProtect, traffic, application statistics

DThreat, GlobalProtect, application statistics, WildFire submissions

Answer : B

When building a custom report on a Palo Alto Networks NGFW, you can select detailed logs that provide specific insights into various aspects of firewall activity. The available options for detailed logs typically include:

Traffic logs: These provide information on the network traffic passing through the firewall.

Threat logs: These logs capture data related to identified security threats, such as malware or intrusion attempts.

Data filtering logs: These logs capture events related to data filtering policies, such as preventing the transfer of sensitive data.

User-ID logs: These logs associate user identities with the traffic and activities observed on the firewall, enabling user-based policy enforcement.

Question 3

What are the phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution?

AScanning, Isolation, Whitelisting, Logging

BDiscovery, Deployment, Detection, Prevention

CPolicy Generation, Discovery, Enforcement, Logging

DProfiling, Policy Generation, Enforcement, Reporting

Answer : B

The phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution are designed to help identify and protect against potential threats in real time by using AI to detect and prevent malicious activities within the network.

Discovery: Identifying applications, services, and behaviors within the network to understand baseline activity.

Deployment: Implementing the solution into the network and integrating with existing security measures.

Detection: Monitoring traffic and activities to identify abnormal or malicious behavior.

Prevention: Taking action to stop threats once detected, such as blocking malicious traffic or stopping exploit attempts.

Question 4

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

ALicense

BPlugin

CContent update

DGeneral setting

Answer : A

To enable the Advanced Routing Engine (ARE) on a Palo Alto Networks firewall, the license for the ARE must be applied first. Without the proper license, the firewall cannot activate and use the advanced routing features provided by ARE, such as support for more complex routing protocols (e.g., BGP, OSPF, etc.).

Once the license is applied and validated, the routing engine can be configured, allowing the creation of logical routers and routing policies.

Question 5

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

AFlood Protection

BProtocol Protection

CPacket-Based Attack Protection

DReconnaissance Protection

Answer : B

In the context of a Zone Protection profile, Protocol Protection is the section used to configure protections against activities such as spoofed IP addresses and split handshake session establishment attempts. These types of attacks typically involve manipulating protocol behaviors, such as IP address spoofing or session hijacking, and are mitigated by the Protocol Protection settings.

Question 6

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.

Which approach ensures continuous, secure connectivity and consistent policy enforcement?

AUse a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.

BDistribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.

CConfigure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.

DDeploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

Answer : B

To ensure continuous, secure connectivity and consistent policy enforcement with GlobalProtect in an enterprise environment that uses user- and machine-based certificate authentication, the approach should:

Distribute root and intermediate CAs via Panorama templates: This ensures that all firewalls managed by Panorama share the same trusted certificate authorities for consistency and security.

Use distinct certificate profiles for user vs. machine certificates: This enables separate handling of user and machine authentication, ensuring that both types of certificates are managed and validated appropriately.

Reference an internal OCSP responder: By integrating OCSP checks, the firewall can validate certificate revocation in real-time, meeting the security requirement while minimizing the overhead and latency associated with traditional CRLs (Certificate Revocation Lists).

Automate certificate deployment with Group Policy: This ensures that machine certificates are deployed in a consistent and scalable manner across the enterprise, reducing manual intervention and minimizing user disruption.

This approach supports the requirements for pre-logon, OCSP checks, and minimal user disruption, while maintaining a secure, automated, and consistent authentication process across all firewalls managed via Panorama.

Question 7

What must be configured before a firewall administrator can define policy rules based on users and groups?

AUser Mapping profile

BAuthentication profile

CGroup mapping settings

DLDAP Server profile

Answer : C

Before a firewall administrator can define policy rules based on users and groups, the Group Mapping settings must be configured. These settings enable the firewall to map users to their respective Active Directory (AD) groups. This mapping allows the firewall to use user and group information to create policy rules based on group membership.

Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Exam Questions