Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free Paloalto Networks NGFW-Engineer Practice Exam with Questions & Answers | Set: 2

Questions 11

Which statement applies to Log Collector Groups?

Options:
A.

Log redundancy is available only if each Log Collector has the same amount of total disk storage.

B.

Enabling redundancy increases the log processing traffic in a Collector Group by 50%.

C.

In any single Collector Group, all the Log Collectors must run on the same Panorama model.

D.

The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares.

Paloalto Networks NGFW-Engineer Premium Access
Questions 12

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

Options:
A.

They must be configured with auto-negotiate settings regardless of the port type.

B.

They must all be either copper or fiber optic, however they can be different.

C.

They must have the same link speed and transmission mode.

D.

They must be the same media type.

Questions 13

An organization needs a GlobalProtect solution that meets two key requirements:

• IT administrators must be able to run scripts and push updates to endpoints before a user logs in.

• Users must authenticate with their cloud identity provider, which is protected by multi-factor authentication (MFA).

Which GlobalProtect authentication configuration should be used to meet both requirements?

Options:
A.

Cookie-based authentication for both pre-logon and user logon.

B.

SAML authentication for pre-logon and certificate-based authentication for user logon.

C.

Single authentication profile using Kerberos to handle both pre-logon and user logon.

D.

Certificate-based authentication for pre-logon and SAML authentication for user logon.

Questions 14

What are the phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution?

Options:
A.

Scanning, Isolation, Whitelisting, Logging

B.

Discovery, Deployment, Detection, Prevention

C.

Policy Generation, Discovery, Enforcement, Logging

D.

Profiling, Policy Generation, Enforcement, Reporting

Questions 15

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

Options:
A.

For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

B.

The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

C.

For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

D.

The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Questions 16

A DevOps team is building a repeatable process for deploying new Palo Alto Networks VM-Series firewalls. The entire infrastructure, including virtual networks, subnets, and the firewalls themselves, must be defined in code to ensure consistency and enable version control.

Which tool is primarily used for this type of declarative Infrastructure as Code (IaC) provisioning?

Options:
A.

Terraform

B.

Azure DevOps

C.

Ansible

D.

Panorama

Questions 17

An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.

What is the recommended method to achieve this goal?

Options:
A.

Deploy multiple, independent VM-Series firewalls in different Availability Zones and use an Azure Load Balancer to distribute traffic to them.

B.

Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails.

C.

Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target.

D.

Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection.

Questions 18

An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.

Which two configurations are required to implement this authentication fallback strategy? (Choose two.)

Options:
A.

Configure a new RADIUS proxy on the firewall to handle authentication requests for both Kerberos and LDAP.

B.

Implement a User-ID Group Mapping policy to link users between the LDAP and Kerberos directories.

C.

Configure an authentication sequence that lists the Kerberos authentication profile first, followed by the LDAP authentication profile.

D.

Configure a new authentication profile that references the Kerberos server profile.

Questions 19

An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface.

Which two abilities are enabled by this specific configuration step? (Choose two.)

Options:
A.

Configuring tunnel monitoring to verify the liveliness of the connection.

B.

Firewall performing NAT traversal.

C.

Running a dynamic routing protocol like OSPF over the tunnel.

D.

Firewall encrypting and decrypting packet payloads.

Questions 20

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?

Options:
A.

It provides a web interface for managing NGFW hardware clusters.

B.

It enables centralized log collection and correlation for NGFWs.

C.

It facilitates dynamic updates to NGFW threat databases.

D.

It automates NGFW policy updates and configurations through playbooks.

Exam Code: NGFW-Engineer
Certification Provider: Paloalto Networks
Exam Name: Palo Alto Networks Next-Generation Firewall Engineer
Last Update: Jul 12, 2026
Questions: 125