Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Paloalto Networks NGFW-Engineer Practice Exam with Questions & Answers

Questions 1

An network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component.

Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status?

Options:
A.

Certificate revocation checking

B.

SSL/TLS service profile

C.

Decryption profile

D.

Forward trust certificate

Paloalto Networks NGFW-Engineer Premium Access
Questions 2

A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific list of local and remote IP address subnets that are permitted through the tunnel. The initial tunnel configuration on the PAN-OS firewall fails during the IKE Phase 2 exchange.

Which configuration step is essential to ensure compatibility with the policy-based Check Point gateway?

Options:
A.

Define the local and remote subnets provided by the partner in the Proxy ID settings.

B.

Create individual Security policies for each pair of local and remote subnets.

C.

Assign a specific IP address to the tunnel interface to match the Check Point gateway.

D.

Enable Dead Peer Detection (DPD) in the IKE Gateway configuration.

Questions 3

When an engineer creates a new VSYS on a supported firewall platform, which resource can be explicitly limited in the VSYS configuration to control its capacity?

Options:
A.

Dedicated data plane memory

B.

Maximum number of admin accounts

C.

Maximum number of log entries

D.

Maximum number of NAT rules

Questions 4

An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console, without using the Context Switch feature.

Which set of tasks can the administrator fully execute from the Panorama UI? (Choose one answer)

Options:
A.

Download and install a new content update. View current firewall session details. Initiate a device reboot.

B.

Create a new zone. Configure a new virtual router. View the local ACC on the firewall.

C.

Edit a post-rule. Create a new certificate profile. Configure the firewall's hostname.

D.

Modify the IP address of a Layer 3 interface. Configure a new local administrator account. Edit a pre-rule.

Questions 5

An engineer is creating an automation workflow. The first step is to deploy a new VM-Series firewall into a VMware vSphere environment, including its virtual machine (VM) configuration and network interfaces. The second step is to connect to the firewall and configure a complex set of Security policies and objects. The team uses both Terraform and Ansible.

For which part of this workflow would Terraform typically be used?

Options:
A.

Pushing threat intelligence updates to the new firewall

B.

Deploying the VM and associated network interfaces

C.

Storing the credentials needed to access the vSphere environment

D.

Applying the detailed Security policies and objects

Questions 6

An engineer configures a PA-440 firewall to act as a switch by creating several Layer 2 interfaces and assigning them all to VLAN 20. A file server is connected to interface ethernet1/1, and client workstations are connected to interfaces ethernet1/2 and ethemet1/3. All devices are in VLAN 20. The clients are unable to access the file server.

Which configuration step to allow this communication by default is missing?

Options:
A.

Create an Aggregate Ethernet (AE) group that includes all three interfaces.

B.

Place ethernet1/1, ethernet1/2, and ethernet1/3 into the same Layer 2 zone.

C.

Create an "allow" Security policy with the source and destination VLAN set to "VLAN 20".

D.

Create a Layer 3 subinterface for VLAN 20 to enable routing.

Questions 7

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

Options:
A.

Flood Protection

B.

Protocol Protection

C.

Packet-Based Attack Protection

D.

Reconnaissance Protection

Questions 8

An organization uses Cloud Identity Engine (CIE) to gather user information from its on-premises Active Directory (AD) for employees and a separate Azure AD for external partners. Due to compliance regulations, the firewalls protecting the internal network must not have any identity information about external partners. Conversely, firewalls in the partner-facing DMZ should only be aware of partner identities.

Which CIE feature is designed to solve this data partitioning requirement?

Options:
A.

Panorama templates, which can be used to push different User-ID agent configurations to each firewall group

B.

Segments, which can be configured to create distinct, filter-based views of users and groups that are then redistributed only to the appropriate firewalls

C.

Multiple tenants, where a separate CIE tenant is required for each user directory to maintain isolation

D.

Directory sync filtering, which is used at the source to prevent specific OUs from being imported into CIE

Questions 9

An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device certificates have been installed, and Panorama and the firewalls have been successfully onboarded to Strata Logging Service.

Which configuration task must be performed to start sending the logs to Strata Logging Service and continue forwarding them to the Panorama log collectors as well?

Options:
A.

Modify all active Log Forwarding profiles to select the “Cloud Logging” option in each profile match list in the appropriate device groups.

B.

Enable the “Panorama/Cloud Logging” option in the Logging and Reporting Settings section under Device -- > Setup -- > Management in the appropriate templates.

C.

Select the “Enable Duplicate Logging” option in the Cloud Logging section under Device -- > Setup -- > Management in the appropriate templates.

D.

Select the “Enable Cloud Logging” option in the Cloud Logging section under Device -- > Setup -- > Management in the appropriate templates.

Questions 10

What must be configured before a firewall administrator can define policy rules based on users and groups?

Options:
A.

User Mapping profile

B.

Authentication profile

C.

Group mapping settings

D.

LDAP Server profile

Exam Code: NGFW-Engineer
Certification Provider: Paloalto Networks
Exam Name: Palo Alto Networks Next-Generation Firewall Engineer
Last Update: Jul 13, 2026
Questions: 125