Free Palo Alto Networks Next-Generation Firewall Engineer Exam NGFW-Engineer Exam Practice Test

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo AltoNetworks NGFWs?

• It provides a web interface for managing NGFW hardware clusters.
• It enables centralized log collection and correlation for NGFWs.
• It facilitates dynamic updates to NGFW threat databases.
• It automates NGFW policy updates and configurations through playbooks.

By default, which type of traffic is configured by service route configuration to use the management interface?

• Security zone
• IPSec tunnel
• Virtual system (VSYS)
• Autonomous Digital Experience Manager (ADEM)

When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?

• Service graph
• Ansible automation modules
• Panorama role-based access control
• CN-Series firewalls

An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.Which additional configuration task is required to resolve this issue?

• Create a transit VSYS and route all inter-VSYS traffic through it.
• Add each VSYS to the list of visible virtual systems of the other VSYS.
• Enable the “allow inter-VSYS traffic” option in both external zone configurations.
• Create Security policies to allow the traffic between the two external zones.

What is the purpose of assigning an Admin Role Profile to a user in a Palo Alto Networks NGFW?

• Allow access to all resources without restrictions.
• Enable multi-factor authentication (MFA) for administrator access.
• Define granular permissions for management tasks.
• Restrict access to sensitive report data.

A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hierarchy as the primary certificate authority (CA). The enterprise also requires Online Certificate Status Protocol (OCSP) checks to ensure efficient revocation status updates and reduce the overhead on its NGFWs. The environment includes multiple Active Directory forests, Panorama management for several geographically dispersed firewalls, GlobalProtect portals and gateways needing distinct certificate profiles for users and devices, and strict Security policies demanding frequent revocation checks with minimal latency.Which approach best addresses these requirements while maintaining consistent policy enforcement?Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized C

• Turn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices.
• Distribute the root and intermediate CA certificates via Panorama as shared objects to ensure all firewalls have a consistent trust chain. Configure OCSP responder profiles on each firewall to ofload revocation checks to an internal OCSP server while keeping CRL checks as a fallback. Maintain separate certificate profiles for user and device authentication and use an automated enrollment method – such as Group Policy or SCEP – to deploy certificates to endpoints.
• Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall’s local certificate store for authentication.
• Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency.

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

• License
• Plugin
• Content update
• General setting

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?

• Restarting the local firewall, running a packet capture, accessing the firewall CLI
• Modification of local security rules, modification of a Layer 3 interface, modification of the firewall device hostname
• Modification of pre-security rules, modification of a virtual router, modification of an IKE Gateway Network Profile
• Modification of post NAT rules, creation of new views on the local firewall ACC tab, creation of local custom reports

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

• NAT tables
• User Authentication
• GlobalProtect Gateways
• GlobalProtect Portal

Which statement applies to Log Collector Groups?

• Log redundancy is available only if each Log Collector has the same amount of total disk storage.
• Enabling redundancy increases the log processing traffic in a Collector Group by 50%.
• In any single Collector Group, all the Log Collectors must run on the same Panorama model.
• The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares.