Palo Alto Networks Certified Next-Generation Firewall Engineer v1.0

Page:    1 / 4   
Exam contains 50 questions
Expand All

A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hierarchy as the primary certificate authority (CA). The enterprise also requires Online Certificate Status Protocol (OCSP) checks to ensure efficient revocation status updates and reduce the overhead on its NGFWs. The environment includes multiple Active Directory forests, Panorama management for several geographically dispersed firewalls, GlobalProtect portals and gateways needing distinct certificate profiles for users and devices, and strict Security policies demanding frequent revocation checks with minimal latency.
Which approach best addresses these requirements while maintaining consistent policy enforcement?

  • A. Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CTurn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices.
  • B. Distribute the root and intermediate CA certificates via Panorama as shared objects to ensure all firewalls have a consistent trust chain. Configure OCSP responder profiles on each firewall to offload revocation checks to an internal OCSP server while keeping CRL checks as a fallback. Maintain separate certificate profiles for user and device authentication and use an automated enrollment method – such as Group Policy or SCEP – to deploy certificates to endpoints.
  • C. Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall’s local certificate store for authentication.
  • D. Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency.


Answer : B

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.
Which approach meets these requirements?

  • A. Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement.
  • B. Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed.
  • C. Use Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster, ensuring local insertion into the service mesh or CNI. Manage all CN-Series firewalls centrally from Panorama, applying uniform Security policies across on-premises and cloud clusters.
  • D. Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama.


Answer : C

When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?

  • A. Deploying Ansible scripts for zone-specific scaling
  • B. Implementing Terraform templates for redundancy within one availability zone
  • C. Using load balancer and health probes
  • D. Configuring active/active HA


Answer : C

An engineer at a managed services provider is updating an application that allows its customers to request firewall changes to also manage SD-WAN. The application will be able to make any approved changes directly to devices via API.
What is a requirement for the application to create SD-WAN interfaces?

  • A. REST API’s “sdwanInterfaceprofiles” parameter on a Panorama device
  • B. REST API’s “sdwanInterfaces” parameter on a firewall device
  • C. XML API’s “sdwanprofiles/interfaces” parameter on a Panorama device
  • D. XML API’s “InterfaceProfiles/sdwan” parameter on a firewall device


Answer : B

Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)

  • A. Select IKE v2, enable the Advanced Options  PQ PPK, then set a 64+ character string for the post-quantum pre shared key.
  • B. Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate.
  • C. Select IKE v2 Preferred, enable the Advanced Options  PQ KEM, then add one or more “Rounds.”
  • D. Select IKE v2, enable the Advanced Options  PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one or more “Rounds.”


Answer : CD

An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.
Which additional configuration task is required to resolve this issue?

  • A. Create a transit VSYS and route all inter-VSYS traffic through it.
  • B. Add each VSYS to the list of visible virtual systems of the other VSYS.
  • C. Enable the “allow inter-VSYS traffic” option in both external zone configurations.
  • D. Create Security policies to allow the traffic between the two external zones.


Answer : B

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?

  • A. Restarting the local firewall, running a packet capture, accessing the firewall CLI
  • B. Modification of local security rules, modification of a Layer 3 interface, modification of the firewall device hostname
  • C. Modification of pre-security rules, modification of a virtual router, modification of an IKE Gateway Network Profile
  • D. Modification of post NAT rules, creation of new views on the local firewall ACC tab, creation of local custom reports


Answer : B

Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?

  • A. Traffic, User-ID, URL
  • B. Traffic, threat, data filtering, User-ID
  • C. GlobalProtect, traffic, application statistics
  • D. Threat, GlobalProtect, application statistics, WildFire submissions


Answer : B

An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?

  • A. Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.
  • B. Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.
  • C. Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.
  • D. Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.


Answer : A

Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)

  • A. It is associated with an interface within a VSYS of a firewall.
  • B. It is a security object associated with a specific virtual router of a VSYS.
  • C. It is not associated with an interface; it is associated with a VSYS itself.
  • D. It is a security object associated with a specific VSYS.


Answer : AD

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

  • A. Isolated
  • B. Transient
  • C. External
  • D. Internal


Answer : B

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.
Which approach achieves this segmentation of identity data?

  • A. Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.
  • B. Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit.
  • C. Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).
  • D. Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.


Answer : B

An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML.
Which two actions meet the criteria? (Choose two.)

  • A. Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.
  • B. Create an authentication sequence that includes both the “RADIUS” Server Profile and “SAML Identity Provider” Server Profile to run the two services in tandem.
  • C. Create and apply an authentication profile with the “SAML Identity Provider” Server Profile.
  • D. Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile.


Answer : BD

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.
Which approach ensures continuous, secure connectivity and consistent policy enforcement?

  • A. Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.
  • B. Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.
  • C. Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.
  • D. Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.


Answer : B

Which statement applies to Log Collector Groups?

  • A. Log redundancy is available only if each Log Collector has the same amount of total disk storage.
  • B. Enabling redundancy increases the log processing traffic in a Collector Group by 50%.
  • C. In any single Collector Group, all the Log Collectors must run on the same Panorama model. D. The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares.


Answer : D

Page:    1 / 4   
Exam contains 50 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy