Summer Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers

Questions 4

When creating a Log Forwarding profile on a PAN-OS firewall to direct logs to various external and internal systems, which set of methods is available?

Options:

A.

Syslog, Panorama, SD-WAN

B.

Panorama/Cloud logging, email, Syslog

C.

Email, Syslog, NetFlow

D.

HTTP, RADIUS, SNMP

Buy Now
Questions 5

An administrator is configuring firewalls via a Panorama template to forward logs to a newly provisioned Strata Logging Service instance. The operational requirement is to maintain existing logging to on-premises Panorama log collectors for immediate, low-latency queries while also forwarding logs to Strata Logging Service for long-term archival. The administrator has already configured and enabled cloud logging connectivity.

Which additional step is necessary to meet the operational requirement?

Options:

A.

Enable duplicate logging (cloud and on-premises) under Device - > Setup - > Management in the appropriate templates.

B.

Enable log syncing and commit the template changes to both the on-premises and cloud collectors.

C.

In the collector group settings, add the Strata Logging Service as a secondary destination for the on-premises collector.

D.

Add the Panorama log collector and Strata Logging Service IP addresses to the cloud logging service routes to ensure dual-path cloud and on-premises reachability.

Buy Now

NGFW-Engineer Report Card

Questions 6

What is a valid configurable limit for setting resource quotas when defining a new VSYS on a Palo Alto Networks firewall?

Options:

A.

Percentage of total CPU utilization

B.

Maximum number of SSL decryption rules

C.

Maximum number of virtual routers

D.

Disk space allocation for logs

Buy Now
Questions 7

An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chosen Ansible as its primary tool for this initiative.

How does Ansible enable an IaC model for managing this organization's firewalls?

Options:

A.

By providing real-time threat intelligence feeds directly to the firewalls' data plane

B.

By providing a graphical user interface that simplifies the creation of security policies through a drag-and-drop interface

C.

By automatically discovering and mapping all network devices to generate a baseline configuration

D.

By defining firewall configurations in playbooks that can be version-controlled and executed repeatedly

Buy Now
Questions 8

A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

Options:

A.

Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).

B.

Deploy the Next-Generation Firewalls as normal and install the User-ID agent.

C.

Deploy the Advanced URL Filtering license and captive portal.

D.

Deploy the explicit proxy with Kerberos authentication scheme.

Buy Now
Questions 9

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?

Options:

A.

Restarting the local firewall, running a packet capture, accessing the firewall CLI

B.

Modification of local security rules, modification of a Layer 3 interface, modification of the firewall device hostname

C.

Modification of pre-security rules, modification of a virtual router, modification of an IKE Gateway Network Profile

D.

Modification of post NAT rules, creation of new views on the local firewall ACC tab, creation of local custom reports

Buy Now
Questions 10

An network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component.

Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status?

Options:

A.

Certificate revocation checking

B.

SSL/TLS service profile

C.

Decryption profile

D.

Forward trust certificate

Buy Now
Questions 11

A network security engineer wants to create Security policy rules that allow or deny traffic based on a user's department, which corresponds to groups in the company's Active Directory. To achieve this, the firewall needs to retrieve group information from the directory server.

Which configuration object must be created first to establish the connection with the Active Directory server?

Options:

A.

LDAP server profile

B.

User-ID agent service account

C.

Authentication sequence

D.

Kerberos server profile

Buy Now
Questions 12

An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provide both resilience across multiple Availability Zones and the ability to scale horizontally.

Which combination of AWS services and Palo Alto Networks components is required for this use case?

Options:

A.

AWS Lambda function that monitors the firewall's health and re-routes traffic using the AWS API

B.

PAN-OS active/active high availability (HA) pair with an AWS Transit Gateway

C.

Amazon EC2 Auto Scaling group with VM-Series firewalls and an Amazon Gateway Load Balancer

D.

Single VM-Series firewall with an Elastic IP address that can be re-associated upon failure

Buy Now
Questions 13

A network administrator is hardening a new Palo Alto Networks firewall and wants to ensure that all firewall-generated management traffic, such as calls to Strata Logging Service, uses a dedicated in-band data port instead of the out-of-band management port.

Which configuration setting should the administrator modify to reroute this type of traffic?

Options:

A.

Service route

B.

Interface Management profile

C.

Virtual router

D.

Static route

Buy Now
Questions 14

What is a result of enabling split tunneling in the GlobalProtect portal configuration with the “Both Network Traffic and DNS” option?

Options:

A.

It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN.

B.

It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN.

C.

It allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names.

D.

It specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.

Buy Now
Questions 15

A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hierarchy as the primary certificate authority (CA). The enterprise also requires Online Certificate Status Protocol (OCSP) checks to ensure efficient revocation status updates and reduce the overhead on its NGFWs. The environment includes multiple Active Directory forests, Panorama management for several geographically dispersed firewalls, GlobalProtect portals and gateways needing distinct certificate profiles for users and devices, and strict Security policies demanding frequent revocation checks with minimal latency.

Which approach best addresses these requirements while maintaining consistent policy enforcement?

Options:

A.

Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CTurn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices.

B.

Distribute the root and intermediate CA certificates via Panorama as shared objects to ensure all firewalls have a consistent trust chain. Configure OCSP responder profiles on each firewall to offload revocation checks to an internal OCSP server while keeping CRL checks as a fallback. Maintain separate certificate profiles for user and device authentication and use an automated enrollment method – such as Group Policy or SCEP – to deploy ce

C.

Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall’s local certificate store for authentication.

D.

Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency.

Buy Now
Questions 16

An organization uses Cloud Identity Engine (CIE) to gather user information from its on-premises Active Directory (AD) for employees and a separate Azure AD for external partners. Due to compliance regulations, the firewalls protecting the internal network must not have any identity information about external partners. Conversely, firewalls in the partner-facing DMZ should only be aware of partner identities.

Which CIE feature is designed to solve this data partitioning requirement?

Options:

A.

Panorama templates, which can be used to push different User-ID agent configurations to each firewall group

B.

Segments, which can be configured to create distinct, filter-based views of users and groups that are then redistributed only to the appropriate firewalls

C.

Multiple tenants, where a separate CIE tenant is required for each user directory to maintain isolation

D.

Directory sync filtering, which is used at the source to prevent specific OUs from being imported into CIE

Buy Now
Questions 17

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

Options:

A.

License

B.

Plugin

C.

Content update

D.

General setting

Buy Now
Questions 18

An organization needs a GlobalProtect solution that meets two key requirements:

• IT administrators must be able to run scripts and push updates to endpoints before a user logs in.

• Users must authenticate with their cloud identity provider, which is protected by multi-factor authentication (MFA).

Which GlobalProtect authentication configuration should be used to meet both requirements?

Options:

A.

Cookie-based authentication for both pre-logon and user logon.

B.

SAML authentication for pre-logon and certificate-based authentication for user logon.

C.

Single authentication profile using Kerberos to handle both pre-logon and user logon.

D.

Certificate-based authentication for pre-logon and SAML authentication for user logon.

Buy Now
Questions 19

Which initial action is required to configure logical routers?

Options:

A.

Changing the virtual router type from "default" to "advanced"

B.

Activating an advanced routing subscription

C.

Committing a new advanced routing software module

D.

Checking "advanced routing" in general settings

Buy Now
Questions 20

When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?

Options:

A.

Deploying Ansible scripts for zone-specific scaling

B.

Implementing Terraform templates for redundancy within one availability zone

C.

Using load balancer and health probes

D.

Configuring active/active HA

Buy Now
Questions 21

An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability and avoiding any service disruption from a potentially problematic content update.

To align with Palo Alto Networks best practices for such environments, which threshold should the administrator set for content updates?

Options:

A.

0 hours

B.

12 hours

C.

24 hours

D.

48 hours

Buy Now
Questions 22

A network administrator is configuring path monitoring for a primary static route to ensure immediate failback from a backup route. The administrator wants the primary route to become active again without any delay as soon as its path is restored.

Which preemptive hold time value should the administrator configure to achieve this immediate failback?

Options:

A.

-1

B.

0

C.

1

D.

2

Buy Now
Questions 23

An administrator is troubleshooting a newly configured site-to-site VPN between a PAN-OS firewall and a third-party policy-based VPN gateway. The tunnel allows traffic between the first pair of configured subnets, but traffic to a newly added remote subnet is failing. The administrator has confirmed that routing and Security policies are correct.

What is the most likely cause of this issue?

Options:

A.

A static route for the new subnet pointing to the tunnel interface is missing.

B.

The Security policy for the new subnet must be placed above the existing VPN policy.

C.

The new local and remote subnets are missing from the Proxy ID configuration.

D.

The tunnel's maximum transmission unit (MTU) size must be increased to accommodate the new traffic.

Buy Now
Questions 24

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

Options:

A.

For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

B.

The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

C.

For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

D.

The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Buy Now
Questions 25

An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.

What is the most likely cause of these widespread certificate errors?

Options:

A.

The decryption policy is configured with a "no-decrypt" action, which causes browsers to reject the connection.

B.

The external websites are using TLS 1.3, which cannot be decrypted by the firewall without a specific license.

C.

The firewall's forward untrust certificate has expired, preventing it from identifying untrusted sites.

D.

The firewall's self-signed CA certificate is not deployed to the trusted certificate store on client endpoints.

Buy Now
Questions 26

A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.

Which configuration in CIE supports this requirement with highest operational efficiency?

Options:

A.

Configure a CIE tenant, connect Okta, and create segments.

B.

Configure the firewalls for each company to query their respective Okta IdPs directly, bypassing CIE for redistribution.

C.

Push all identity data to Panorama and use Panorama's group mapping include/exclude lists to control what each firewall learns.

D.

Create a master CIE tenant for the holding company and peer it with two subordinate tenants, one for each acquired business.

Buy Now
Questions 27

An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.

Which two configurations are required to implement this authentication fallback strategy? (Choose two.)

Options:

A.

Configure a new RADIUS proxy on the firewall to handle authentication requests for both Kerberos and LDAP.

B.

Implement a User-ID Group Mapping policy to link users between the LDAP and Kerberos directories.

C.

Configure an authentication sequence that lists the Kerberos authentication profile first, followed by the LDAP authentication profile.

D.

Configure a new authentication profile that references the Kerberos server profile.

Buy Now
Questions 28

An engineer is configuring a site-to-site IPSec VPN to a partner network. The IKE Gateway and IPSec tunnel configurations are complete, and the tunnel interface has been assigned to a security zone. However, the tunnel fails to establish, and no application traffic passes through it once it is up.

Which two Security policy configurations are required to allow tunnel establishment and data traffic flow in this scenario? (Choose two.)

Options:

A.

A security rule is needed to allow IKE and IPSec traffic between the zone where the physical interface resides and the zone of the partner gateway.

B.

A single bidirectional security rule must be configured to manage traffic flowing through the tunnel interface.

C.

Security rules must be configured to permit application traffic from the local zone to the tunnel zone, and from the tunnel zone to the local zone.

D.

An Application Override policy is needed to allow both the IKE negotiation and the encapsulated data traffic.

Buy Now
Questions 29

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

Options:

A.

Isolated

B.

Transient

C.

External

D.

Internal

Buy Now
Questions 30

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.

Which approach ensures continuous, secure connectivity and consistent policy enforcement?

Options:

A.

Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.

B.

Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.

C.

Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.

D.

Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

Buy Now
Questions 31

Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)

Options:

A.

It is associated with an interface within a VSYS of a firewall.

B.

It is a security object associated with a specific virtual router of a VSYS.

C.

It is not associated with an interface; it is associated with a VSYS itself.

D.

It is a security object associated with a specific VSYS.

Buy Now
Questions 32

A Managed Security Service Provider (MSSP) is creating a new VSYS for a customer.

To prevent this customer’s traffic from overwhelming the firewall’s state table, which resource limit should the MSSP configure for the new VSYS?

Options:

A.

Max security profiles

B.

Max bandwidth

C.

Max sessions

D.

Max Log Forwarding profiles

Buy Now
Questions 33

An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.

What is the recommended method to achieve this goal?

Options:

A.

Deploy multiple, independent VM-Series firewalls in different Availability Zones and use an Azure Load Balancer to distribute traffic to them.

B.

Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails.

C.

Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target.

D.

Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection.

Buy Now
Questions 34

An administrator must perform several actions on a fleet of firewalls from a central Panorama instance. To maintain efficiency, the administrator wants to only perform actions that do not require switching context into each firewall's individual web interface.

Which set of actions is available to the administrator directly from the Panorama UI?

Options:

A.

Creating a new VLAN -

Assigning an interface to the new VLAN

Configuring a new DHCP server on the firewall

B.

Modifying a pre-rule -

Editing a shared service object -

Creating a new certificate profile

C.

Accessing the CLI -

Restarting the device -

Installing the latest content and software versions

D.

Configuring a new IPSec tunnel -

Modifying the IKE gateway -

Changing the DNS server settings of the firewall

Buy Now
Questions 35

A network security engineer is designing a resilient architecture for inspecting traffic in Google Cloud Platform (GCP). The design must ensure that firewall service is maintained even if a single GCP zone becomes unavailable.

Which architecture should be used for the VM-Series firewalls in this use case?

Options:

A.

Ansible playbook that monitors the health of the primary firewall and launches a new one in a different zone when a failure is detected

B.

Single, large VM-Series firewall in one zone that is configured for live migration to another zone upon failure

C.

Instance group of VM-Series firewalls spread across multiple zones with traffic routed to them by a GCP Internal Load Balancer

D.

PAN-OS active/active high availability (HA) cluster configured with dedicated HA interfaces in a shared VPC

Buy Now
Questions 36

An administrator configures a GlobalProtect gateway with split tunneling for network traffic based on an access route. Users report that public web browsing works, but they cannot resolve the names of internal servers. The administrator determines that all DNS queries are being sent to the public DNS servers configured on the users' endpoints.

Which GlobalProtect portal setting should be configured to resolve this issue?

Options:

A.

Split tunneling for DNS and specify the internal corporate domains in the "Domain" list

B.

DNS Proxy feature on the firewall to point clients to the gateway IP for DNS

C.

"DNS Forwarding" option on the gateway's tunnel interface

D.

NAT rule to allow DNS traffic from the GlobalProtect clients to the internal DNS servers

Buy Now
Questions 37

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

Options:

A.

Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.

B.

Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit.

C.

Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).

D.

Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Buy Now
Exam Code: NGFW-Engineer
Exam Name: Palo Alto Networks Next-Generation Firewall Engineer
Last Update: Jul 6, 2026
Questions: 125

PDF + Testing Engine

$49.5  $164.99

Testing Engine

$37.5  $124.99
buy now NGFW-Engineer testing engine

PDF (Q&A)

$31.5  $104.99
buy now NGFW-Engineer pdf
dumpsmate guaranteed to pass

24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 06 Jul 2026