Free NGFW-Engineer Sample Questions — Palo Alto Networks Certified Next-Generation Firewall Engineer

Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE) interface on a Palo Alto Networks high availability (HA) active/passive pair?

• A. Set Transmission Rate to “fast.”
• B. Set passive link state to “Auto.”
• C. Set “Enable in HA Passive State.”
• D. Set LACP mode to “Active.”

Which statement applies to the relationship between Panorama-pushed Security policy and local firewall Security policy?

• A. When a policy match is found in a local firewall policy, if any Panorama shared post-rule is configured, it will still be evaluated
• B. Local firewall rules are evaluated after Panorama pre-rules and before Panorama post-rules
• C. Panorama post-rules can be configured to be evaluated before local firewall policy for the purpose of troubleshooting
• D. The order of policy evaluation can be configured differently in different device groups

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

• A. For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional
• B. The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy
• C. For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction
• D. The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy

In a Palo Alto Networks environment, GlobalProtect has been enabled using certificate-based authentication for both users and devices. To ensure proper validation of certificates, one or more certificate profiles are configured. What function do certificate profiles serve in this context?

• A. They store private keys for users and devices, effectively allowing the firewall to issue or reissue certificates if the primary Certificate Authority (CA) becomes unavailable, providing a built-in fallback CA to maintain continuous certificate issuance and authentication
• B. They define trust anchors (root / intermediate Certificate Authorities (CAs)), specify revocation checks (CRL/OCSP), and map certificate attributes (e.g., CN) for user or device authentication
• C. They allow the firewall to bypass certificate validation entirely, focusing only on username / password-based authentication
• D. They provide a one-click mechanism to distribute certificates to all endpoints without relying on external enrollment methods

By default, which type of traffic is configured by service route configuration to use the management interface?

• A. Security zone
• B. IPSec tunnel
• C. Virtual system (VSYS)
• D. Autonomous Digital Experience Manager (ADEM)

Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?

• A. Traffic, User-ID, URL
• B. Traffic, threat, data filtering, User-ID
• C. GlobalProtect, traffic, application statistics
• D. Threat, GlobalProtect, application statistics, WildFire submissions

A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required. What are two fundamental properties of the external zones needed for this configuration? (Choose two.)

• A. They must be linked to the same virtual router as the ingress interface
• B. They represent their parent VSYS without being tied to a physical or logical interface
• C. They are a security construct belonging to a single VSYS
• D. They are automatically created when inter-VSYS routing is enabled

After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish. Which of the following actions will resolve this issue?

• A. Ensure that an active static or dynamic route exists for the VPN peer with next hop as the tunnel interface
• B. Configure the Proxy IDs to match the Cisco ASA configuration
• C. Check that IPSec is enabled in the management profile on the external interface
• D. Validate the tunnel interface VLAN against the peer’s configuration

An organization has configured GlobalProtect in a hybrid authentication model using both certificate-based authentication for the pre-logon stage and SAML-based multi-factor authentication (MFA) for user logon. How does the GlobalProtect agent process the authentication flow on Windows endpoints?

• A. The GlobalProtect agent uses the machine certificate to establish a pre-logon tunnel; upon user sign-in, it prompts for SAML-based MFA credentials, ensuring both device and user identities are validated before granting full access
• B. The GlobalProtect agent uses the machine certificate during pre-logon for initial tunnel establishment, and then seamlessly reuses the same machine certificate for user-based authentication without requiring MFA
• C. Once the machine certificate is validated at pre-logon, the Windows endpoint completes MFA on behalf of the user by passing existing Windows Credential Provider details to the GlobalProtect gateway without prompting the user
• D. GlobalProtect requires the user to log in first for SAML-based MFA before establishing the pre-logon tunnel, rendering the pre-logon certificate authentication (CA) flow redundant

A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions. Which action meets the requirements in this scenario?

• A. Deploy the transparent proxy with Web Cache Communications Protocol (WCCP)
• B. Deploy the Next-Generation Firewalls as normal and install the User-ID agent
• C. Deploy the Advanced URL Filtering license and captive portal
• D. Deploy the explicit proxy with Kerberos authentication scheme

In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

• A. To forward packets to the HA peer during session setup and asymmetric traffic flow
• B. To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information
• C. To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair
• D. To perform session cache synchronization among all HA peers having the same cluster ID

An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all interfaces must be assigned to the same VLAN. During initial testing, it is reported that clients located behind the various interfaces cannot communicate with each other. Which action taken by the engineer will resolve this issue?

• A. Configure each interface to belong to the same Layer 2 zone and enable IP routing between them
• B. Assign each interface to the appropriate Layer 2 zone and configure a policy that allows traffic within the VLAN
• C. Assign each interface to the appropriate Layer 2 zone and configure Security policies for interfaces not assigned to the same zone
• D. Enable IP routing between the interfaces and configure a Security policy to allow traffic between interfaces within the VLAN

How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?

• A. The route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected
• B. It will attempt to load balance the traffic across all routes
• C. It compares the administrative distance and chooses the one with the highest value
• D. It compares the administrative distance and chooses the one with the lowest value

During an upgrade to the routing infrastructure in a customer environment, the network administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall. Which firewall models support this configuration?

• A. PA-5280, PA-7080, PA-3250, VM-Series
• B. PA-455, VM-Series, PA-1410, PA-5450
• C. PA-3260, PA-5410, PA-850, PA-460
• D. PA-7050, PA-1420, VM-Series, CN-Series

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

• A. Flood Protection
• B. Protocol Protection
• C. Packet-Based Attack Protection
• D. Reconnaissance Protection