
Updated Mar-2026 Test Engine to Practice Test for NGFW-Engineer Exam Questions and Answers!
Palo Alto Networks Next-Generation Firewall Engineer Certification Sample Questions and Practice Exam
NEW QUESTION # 20
Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)
- A. Ensure Authentication is set to "certificate," then import a post-quantum derived certificate.
- B. Select IKE v2, enable the Advanced Options - PQ PPK, then set a 64+ character string for the post-quantum pre shared key.
- C. Select IKE v2, enable the Advanced Options - PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one or more "Rounds."
- D. Select IKE v2 Preferred, enable the Advanced Options - PQ KEM, then add one or more
"Rounds."
Answer: C,D
Explanation:
To implement post-quantum cryptography (PQC) in VPNs between Palo Alto Networks NGFWs, you would enable the PQ KEM (Post-Quantum Key Encapsulation Mechanism) in the IKE gateway configuration. This enables the firewall to use quantum-resistant encryption for key exchange, which is an essential part of securing communications against the potential future threats posed by quantum computing.
By selecting IKE v2 Preferred and enabling the PQ KEM option under Advanced Options, you can add specific Rounds for the post-quantum cryptography process, which will help in implementing quantum-resistant key exchange methods.
This option similarly selects IKE v2 and enables PQ KEM while also creating a dedicated IKE Crypto Profile with the necessary Rounds configured for post-quantum cryptography.
NEW QUESTION # 21
How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?
- A. It compares the administrative distance and chooses the one with the lowest value.
- B. The route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected.
- C. It compares the administrative distance and chooses the one with the highest value.
- D. It will attempt to load balance the traffic across all routes.
Answer: A
Explanation:
When a Palo Alto Networks firewall receives routes for the same destination from different routing protocols, it uses the administrative distance (AD) to determine the best route. The administrative distance is a measure of the trustworthiness of a route, with a lower value indicating higher preference. The firewall will choose the route with the lowest administrative distance to populate its forwarding table.
NEW QUESTION # 22
Before upgrading a Palo Alto Networks firewall to a new PAN-OS version, which preliminary step is crucial to ensure a smooth upgrade process?
- A. Disable all security policies.
- B. Back up the current configuration.
- C. Reset the firewall to factory settings.
- D. Disable High Availability (HA) if configured.
Answer: B
NEW QUESTION # 23
An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console, without using the Context Switch feature. Which set of tasks can the administrator fully execute from the Panorama UI? (Choose one answer)
- A. Download and install a new content update. View current firewall session details. Initiate a device reboot.
- B. Create a new zone. Configure a new virtual router. View the local ACC on the firewall.
- C. Edit a post-rule. Create a new certificate profile. Configure the firewall's hostname.
- D. Modify the IP address of a Layer 3 interface. Configure a new local administrator account. Edit a pre- rule.
Answer: C
Explanation:
Palo Alto Networks Panorama provides a centralized management platform that allows administrators to manage firewalls through two primary constructs:TemplatesandDevice Groups. When working directly within the Panorama UI (without switching to the firewall's context), an administrator interacts with these constructs to push configurations down to the managed devices.
The tasks listed inOption Crepresent the core functionality of Panorama's hierarchical management:
* Edit a post-rule:Security policies are managed withinDevice Groups. Post-rules are specific rules that appear after any locally defined rules on the firewall, allowing Panorama to enforce a "bottom-line" security posture across all managed devices.
* Create a new certificate profile:Object management, including certificate profiles, is handled within Templates or Device Groups (depending on scope) and can be easily defined at the Panorama level.
* Configure the firewall's hostname:System-level settings, such as hostnames, DNS, and NTP, are managed viaTemplates.
Conversely, the other options include tasks that generally require a direct connection or a "Context Switch" to the specific firewall's management plane. For example, viewingreal-time session details(Option A) or the local ACC(Option B) requires querying the specific firewall's dataplane. While Panorama can trigger a software update, performing adevice reboot(Option A) or managinglocal administrator accounts(Option D) are typically performed either locally or through the context switch to ensure the administrator is interacting with the device's specific local database rather than the global Panorama template.
NEW QUESTION # 24
Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections?
(Choose two.)
- A. NAT tables
- B. GlobalProtect Portal
- C. User Authentication
- D. GlobalProtect Gateways
Answer: B,D
Explanation:
Palo Alto Networks Next-Generation Firewalls (NGFWs) use SSL/TLS profiles to secure connections for services such as GlobalProtect Gateways and GlobalProtect Portals. These profiles are used to manage the SSL/TLS encryption and decryption for secure communication between the firewall and clients (such as VPN clients for GlobalProtect). This helps ensure the confidentiality and integrity of the data during transmission.
NEW QUESTION # 25
An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability and avoiding any service disruption from a potentially problematic content update.
To align with Palo Alto Networks best practices for such environments, which threshold should the administrator set for content updates?
- A. 12 hours
- B. 24 hours
- C. 0 hours
- D. 48 hours
Answer: D
Explanation:
For highly sensitive and mission-critical environments such as healthcare systems, Palo Alto Networks best practices recommend using a longer content update threshold to allow sufficient soak time for new updates, reducing the risk of instability or service disruption caused by newly released content.
NEW QUESTION # 26
A security administrator is creating a new custom report to get a consolidated view of network events and needs to select a database to query for the report data.
Which valid set of databases is available for the task?
- A. Data Filtering, IP-Tag, User-ID, Endpoint Security
- B. Traffic, User-ID, Application Statistics, HIP Match
- C. System, Config, Authentication, Session Flow
- D. Threat, URL Filtering, WildFire Submissions, GlobalProtect
Answer: D
Explanation:
These are valid PAN-OS log databases available for custom reporting, allowing consolidated reporting across security events, web access, malware analysis, and remote access activity using built-in firewall logging sources.
NEW QUESTION # 27
What are the phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution?
- A. Scanning, Isolation, Whitelisting, Logging
- B. Profiling, Policy Generation, Enforcement, Reporting
- C. Discovery, Deployment, Detection, Prevention
- D. Policy Generation, Discovery, Enforcement, Logging
Answer: C
Explanation:
The phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution are designed to help identify and protect against potential threats in real time by using AI to detect and prevent malicious activities within the network.
Discovery: Identifying applications, services, and behaviors within the network to understand baseline activity.
Deployment: Implementing the solution into the network and integrating with existing security measures.
Detection: Monitoring traffic and activities to identify abnormal or malicious behavior.
Prevention: Taking action to stop threats once detected, such as blocking malicious traffic or stopping exploit attempts.
NEW QUESTION # 28
Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?
- A. Security profile limit
- B. Sessions limit
- C. ICPU
- D. Memory
Answer: C
Explanation:
When configuring a new virtual system (VSYS) on a Palo Alto Networks firewall, the assignable firewall resource is ICPU (Instance CPU).
- ICPU allows you to allocate dataplane processing resources to a specific VSYS
- This enables resource isolation and performance control between multiple VSYSs on the same firewall
NEW QUESTION # 29
An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device certificates have been installed, and Panorama and the firewalls have been successfully onboarded to Strata Logging Service.
Which configuration task must be performed to start sending the logs to Strata Logging Service and continue forwarding them to the Panorama log collectors as well?
- A. Enable the "Panorama/Cloud Logging" option in the Logging and Reporting Settings section under Device --> Setup --> Management in the appropriate templates.
- B. Modify all active Log Forwarding profiles to select the "Cloud Logging" option in each profile match list in the appropriate device groups.
- C. Select the "Enable Duplicate Logging" option in the Cloud Logging section under Device --> Setup --> Management in the appropriate templates.
- D. Select the "Enable Cloud Logging" option in the Cloud Logging section under Device --> Setup --> Management in the appropriate templates.
Answer: D
Explanation:
To begin sending logs to Strata Logging Service while continuing to forward them to Panorama log collectors, the necessary configuration is to enable Cloud Logging. This option is configured in the Cloud Logging section under Device # Setup # Management in the appropriate templates. Once enabled, this ensures that logs are directed both to the Strata Logging Service (cloud) and to the Panorama log collectors.
NEW QUESTION # 30
What is a result of enabling split tunneling in the GlobalProtect portal configuration with the "Both Network Traffic and DNS" option?
- A. It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN.
- B. lt allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names.
- C. It specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.
- D. It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN.
Answer: C
Explanation:
When split tunneling is enabled with the "Both Network Traffic and DNS" option in the GlobalProtect portal configuration, it allows the firewall to control which traffic is sent over the VPN tunnel and which is not.
Specifically, it determines which domains are resolved by the VPN-assigned DNS servers (for domains requiring VPN access) and which are resolved by local DNS servers (for domains that can be accessed without the VPN tunnel).
NEW QUESTION # 31
Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE) interface on a Palo Alto Networks high availability (HA) active/passive pair?
- A. Set Transmission Rate to "fast."
- B. Set "Enable in HA Passive State."
- C. Set LACP mode to "Active."
- D. Set passive link state to "Auto."
Answer: C
Explanation:
On a Palo Alto Networks firewall, LACP pre-negotiation means the interface actively sends LACP packets to negotiate the aggregate link instead of waiting for the peer.
LACP mode = Active → The device initiates LACP negotiations by sending LACP PDUs.
LACP mode = Passive → The device waits for the peer to initiate, so no pre-negotiation occurs.
NEW QUESTION # 32
In a Collector Group with multiple Log Collectors, enabling redundancy ensures that:
- A. Each log is stored only on the primary Log Collector.
- B. Each log has two copies, each residing on a different Log Collector.
- C. Logs are distributed based on a round-robin mechanism.
- D. Logs are stored in a compressed format to save space.
Answer: B
NEW QUESTION # 33
An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?
- A. Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.
- B. Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.
- C. Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.
- D. Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.
Answer: B
Explanation:
In an active/passive HA setup, the recommended process for upgrading involves minimizing downtime and ensuring traffic continuity by using the failover process:
Suspend the active firewall: This triggers a failover to the passive unit, making it the active unit.
Upgrade the former passive (now active) unit: With traffic now running on the previously passive unit, upgrade the suspended unit while the active unit continues handling traffic.
Confirm proper operation: Once the upgrade is complete, verify that the upgraded unit is functioning properly.
Fail traffic back: Once the upgraded firewall is confirmed to be working, fail the traffic back to the original active unit and upgrade the remaining firewall.
NEW QUESTION # 34
What is the correct sequence of evaluation for Security policy rulebases?
- A. Panorama Pre-Rules --> Local Firewall Rules --> Panorama Post-Rules
- B. Panorama Shared Rules --> Local Firewall Rules --> Device Group Rules
- C. Panorama Post-Rules --> Panorama Pre-Rules --> Local Firewall Rules
- D. Local Firewall Rules --> Panorama Pre-Rules --> Panorama Post-Rules
Answer: A
Explanation:
Security policy rules are evaluated in a strict top-down order starting with Panorama Pre-Rules, followed by the local firewall rulebase, and finally Panorama Post-Rules, ensuring centrally enforced policies are applied before and after locally defined rules.
NEW QUESTION # 35
A network administrator needs to replace the default self-signed certificate on a firewall with one signed by the company's internal certificate authority (CA).
Which two firewall features would require this new certificate to be assigned via an SSL/TLS service profile? (Choose two.)
- A. User-ID agent redistribution
- B. RADIUS server authentication
- C. Authentication portal
- D. GlobalProtect gateway
Answer: A,C
Explanation:
User-ID agent redistribution uses SSL/TLS for secure communication between the firewall and User-ID agents, which requires a certificate assigned via an SSL/TLS service profile, and the Authentication Portal uses HTTPS for user authentication interactions, which also depends on a certificate provided through an SSL/TLS service profile.
NEW QUESTION # 36
A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hierarchy as the primary certificate authority (CA). The enterprise also requires Online Certificate Status Protocol (OCSP) checks to ensure efficient revocation status updates and reduce the overhead on its NGFWs. The environment includes multiple Active Directory forests, Panorama management for several geographically dispersed firewalls, GlobalProtect portals and gateways needing distinct certificate profiles for users and devices, and strict Security policies demanding frequent revocation checks with minimal latency.
Which approach best addresses these requirements while maintaining consistent policy enforcement?
- A. Distribute the root and intermediate CA certificates via Panorama as shared objects to ensure all firewalls have a consistent trust chain. Configure OCSP responder profiles on each firewall to offload revocation checks to an internal OCSP server while keeping CRL checks as a fallback. Maintain separate certificate profiles for user and device authentication and use an automated enrollment method - such as Group Policy or SCEP - to deploy certificates to endpoints.
- B. Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CA. Turn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices.
- C. Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall's local certificate store for authentication.
- D. Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency.
Answer: A
Explanation:
This approach best addresses the enterprise's requirements for certificate-based authentication, OCSP checks, and consistent policy enforcement:
Distributing the root and intermediate CA certificates via Panorama ensures that all firewalls in the enterprise are consistent in their trust chain and can validate certificates properly.
Configuring OCSP responder profiles on each firewall offloads the revocation checks to an internal OCSP server, which reduces the overhead on the firewalls and ensures fast, real-time certificate status checks.
Using CRL checks as a fallback ensures reliability in case the OCSP responder is unavailable.
Separate certificate profiles for users and devices ensure that the firewall can enforce different security policies based on the type of certificate (user vs. device).
Automated certificate enrollment methods such as Group Policy or SCEP streamline certificate distribution to endpoints, ensuring efficient management of certificates across geographically dispersed firewalls.
NEW QUESTION # 37
An engineer is implementing a new rollout of SAML for administrator authentication across a company's Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned.
The company wants both authentication types to be running in parallel during the transition to SAML.
Which two actions meet the criteria? (Choose two.)
- A. Create an authentication sequence that includes both the "RADIUS" Server Profile and "SAML Identity Provider" Server Profile to run the two services in tandem.
- B. Create and add the "SAML Identity Provider" Server Profile to the authentication profile for the "RADIUS" Server Profile.
- C. Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.
- D. Create and apply an authentication profile with the "SAML Identity Provider" Server Profile.
Answer: A,D
Explanation:
B). Create an authentication sequence that orders the RADIUS profile first followed by the SAML profile, allowing the firewall to attempt RADIUS authentication and fall back to SAML if needed, supporting tandem operation for administrator logins.
C). Create and apply an authentication profile using the SAML Identity Provider Server Profile, which can then be sequenced alongside the existing RADIUS profile without disrupting current authentication.
NEW QUESTION # 38
After a recent high availability (HA) failover test on an active/passive cluster, an engineer noted a
30-45 second delay before traffic started flowing through a Link Aggregation Control Protocol (LACP) aggregate interface on the newly active firewall.
What should have been configured to support LACP pre-negotiation to minimize LACP convergence delay?
- A. Set LACP mode to passive.
- B. Enable LACP fast failover.
- C. Enable in HA passive state.
- D. Set HA link monitoring to aggressive.
Answer: C
Explanation:
Enabling LACP in the HA passive state allows the passive firewall to negotiate and maintain the LACP session with the switch before it becomes active, so when a failover occurs the aggregate is already formed and traffic can pass with minimal convergence delay.
NEW QUESTION # 39
A PA-Series firewall with all licensable features is being installed. The customer's Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.
Which action meets the requirements in this scenario?
- A. Deploy the explicit proxy with Kerberos authentication scheme.
- B. Deploy the Next-Generation Firewalls as normal and install the User-ID agent.
- C. Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).
- D. Deploy the Advanced URL Filtering license and captive portal.
Answer: A
Explanation:
In this scenario, the customer requires that users do not directly access websites and that a security device (the firewall) manages the connection, while also ensuring that there is authentication back to the Active Directory (AD) servers for all sessions. The explicit proxy with Kerberos authentication is the best solution because:
The explicit proxy allows the firewall to intercept user web traffic and manage the connections on behalf of users.
Kerberos authentication ensures that the user's identity is validated against the Active Directory servers before the session is allowed, fulfilling the authentication requirement.
NEW QUESTION # 40
An engineer is implementing a new rollout of SAML for administrator authentication across a company's Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned.
The company wants both authentication types to be running in parallel during the transition to SAML.
Which two actions meet the criteria? (Choose two.)
- A. Create and add the "SAML Identity Provider" Server Profile to the authentication profile for the
"RADIUS" Server Profile. - B. Create an authentication sequence that includes both the "RADIUS" Server Profile and "SAML Identity Provider" Server Profile to run the two services in tandem.
- C. Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.
- D. Create and apply an authentication profile with the "SAML Identity Provider" Server Profile.
Answer: B,D
Explanation:
B). Create an authentication sequence that orders the RADIUS profile first followed by the SAML profile, allowing the firewall to attempt RADIUS authentication and fall back to SAML if needed, supporting tandem operation for administrator logins.
C). Create and apply an authentication profile using the SAML Identity Provider Server Profile, which can then be sequenced alongside the existing RADIUS profile without disrupting current authentication.
NEW QUESTION # 41
An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface.
Which two abilities are enabled by this specific configuration step? (Choose two.)
- A. Running a dynamic routing protocol like OSPF over the tunnel.
- B. Configuring tunnel monitoring to verify the liveliness of the connection.
- C. Firewall performing NAT traversal.
- D. Firewall encrypting and decrypting packet payloads.
Answer: A,B
Explanation:
Assigning an IP address to the tunnel interface allows the firewall to perform tunnel monitoring by sourcing and receiving keepalive traffic over the tunnel, and enables the use of dynamic routing protocols such as OSPF across the tunnel because the tunnel interface becomes a routable Layer 3 interface.
NEW QUESTION # 42
......
Certification dumps Network Security Administrator NGFW-Engineer guides - 100% valid: https://www.test4cram.com/NGFW-Engineer_real-exam-dumps.html
100% Pass Your NGFW-Engineer Palo Alto Networks Next-Generation Firewall Engineer at First Attempt with Test4Cram: https://drive.google.com/open?id=16GOiGi55RsUXgAPvHAgHeLhQYprQZrmO