Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Dumps in PDF

Free Palo Alto Networks NGFW-Engineer Real Questions (page: 17)

For which two purposes is an IP address configured on a tunnel interface? (Choose two.)

  1. Use of dynamic routing protocols
  2. Tunnel monitoring
  3. Use of peer IP
  4. Redistribution of User-ID

Answer(s): A,B

Explanation:

Use of dynamic routing protocols: An IP address is needed on the tunnel interface to participate in dynamic routing protocols (like OSPF, BGP, etc.) over the tunnel. This allows the firewall to advertise routes and receive updates over the tunnel.

Tunnel monitoring: The IP address on the tunnel interface can also be used for monitoring the tunnel's status. Tunnel monitoring (such as IPSec tunnel monitoring) requires an IP address on the tunnel interface to check the health and availability of the tunnel.



Which PAN-OS method of mapping users to IP addresses is the most reliable?

  1. Port mapping
  2. GlobalProtect
  3. Syslog
  4. Server monitoring

Answer(s): D

Explanation:

Server monitoring is the most reliable method for mapping users to IP addresses in PAN-OS. This method allows the firewall to monitor specific servers, such as Microsoft Active Directory (AD) or LDAP servers, to dynamically retrieve and update user-to-IP mappings. It provides a more accurate and up-to-date mapping of users to their associated IP addresses, as it directly queries user databases in real time.



In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

  1. To forward packets to the HA peer during session setup and asymmetric traffic flow
  2. To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information
  3. To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair
  4. To perform session cache synchronization among all HA peers having the same cluster ID

Answer(s): B

Explanation:

In an active/active HA configuration with two PA-Series firewalls, the HA3 interface is used primarily for the exchange of HA state information between the firewalls. This includes:
Hellos and heartbeats to monitor the status of the HA peer.

Synchronization of management plane data, which includes critical routing and User-ID information.



A PA-Series firewall with all licensable features is being installed. The customer's Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

  1. Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).
  2. Deploy the Next-Generation Firewalls as normal and install the User-ID agent.
  3. Deploy the Advanced URL Filtering license and captive portal.
  4. Deploy the explicit proxy with Kerberos authentication scheme.

Answer(s): D

Explanation:

In this scenario, the customer requires that users do not directly access websites and that a security device (the firewall) manages the connection, while also ensuring that there is authentication back to the Active Directory (AD) servers for all sessions. The explicit proxy with Kerberos authentication is the best solution because:
The explicit proxy allows the firewall to intercept user web traffic and manage the connections on behalf of users.
Kerberos authentication ensures that the user's identity is validated against the Active Directory servers before the session is allowed, fulfilling the authentication requirement.



What must be configured before a firewall administrator can define policy rules based on users and groups?

  1. User Mapping profile
  2. Authentication profile
  3. Group mapping settings
  4. LDAP Server profile

Answer(s): C

Explanation:

Before a firewall administrator can define policy rules based on users and groups, the Group Mapping settings must be configured. These settings enable the firewall to map users to their respective Active Directory (AD) groups. This mapping allows the firewall to use user and group information to create policy rules based on group membership.



Which statement applies to the relationship between Panorama-pushed Security policy and local firewall Security policy?

  1. When a policy match is found in a local firewall policy, if any Panorama shared post-rule is configured, it will still be evaluated.
  2. Local firewall rules are evaluated after Panorama pre-rules and before Panorama post-rules.
  3. Panorama post-rules can be configured to be evaluated before local firewall policy for the purpose of troubleshooting.
  4. The order of policy evaluation can be configured differently in different device groups.

Answer(s): B

Explanation:

Local firewall rules are evaluated after Panorama pre-rules (those applied before the firewall's local policies) and before Panorama post-rules (those applied after the firewall's local policies). This ensures that the local firewall rules do not override the central Panorama policy and are only applied in the appropriate order within the policy evaluation sequence.



Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?

  1. DDNS
  2. Link Duplex
  3. NetFlow
  4. LLDP

Answer(s): C

Explanation:

NetFlow is a Layer 3 (network layer) protocol that collects and monitors IP traffic flows. It is typically configured on Layer 3 interfaces because it relies on IP information for traffic flow analysis, which is not available on Layer 2 interfaces. Layer 2 interfaces handle frames within the local network, and they don't have IP-related details that NetFlow uses to generate traffic statistics.



What is a result of enabling split tunneling in the GlobalProtect portal configuration with the "Both Network Traffic and DNS" option?

  1. It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN.
  2. It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN.
  3. It allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names.
  4. It specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.

Answer(s): D

Explanation:

When split tunneling is enabled with the "Both Network Traffic and DNS" option in the GlobalProtect portal configuration, it allows the firewall to control which traffic is sent over the VPN tunnel and which is not.
Specifically, it determines which domains are resolved by the VPN-assigned DNS servers (for domains requiring VPN access) and which are resolved by local DNS servers (for domains that can be accessed without the VPN tunnel).



Share your comments for Palo Alto Networks NGFW-Engineer exam with other users:

M
Marc blue
9/15/2023 4:11:00 AM

great job. hope this helps out.

A
Anne
9/13/2023 2:33:00 AM

upload please. many thanks!

P
pepe el toro
9/12/2023 7:55:00 PM

this is so interesting

A
Antony
11/28/2023 12:13:00 AM

great material thanks

T
Thembelani
5/30/2023 2:22:00 AM

anyone who wrote this exam recently

P
P
9/16/2023 1:27:00 AM

ok they re good

J
Jorn
7/13/2023 5:05:00 AM

relevant questions

A
AM
6/20/2023 7:54:00 PM

please post

N
Nagendra Pedipina
7/13/2023 2:22:00 AM

q:42 there has to be a image in the question to choose what does it mean from the options

B
BrainDumpee
11/18/2023 1:36:00 PM

looking for cphq dumps, where can i find these for free? please and thank you.

S
sheik
10/14/2023 11:37:00 AM

@aarun , thanks for the information. it would be great help if you share your email

R
Random user
12/11/2023 1:34:00 AM

1z0-1078-23 need this dumps

L
labuschanka
11/16/2023 6:06:00 PM

i gave the microsoft azure az-500 tests and prepared from this site as it has latest mock tests available which helped me evaluate my performance and score 919/1000

M
Marianne
10/22/2023 11:57:00 PM

i cannot see the button to go to the questions

S
sushant
6/28/2023 4:52:00 AM

good questions

A
A\MAM
6/27/2023 5:17:00 PM

q-6 ans-b correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/commit-configuration-changes

U
unanimous
12/15/2023 6:38:00 AM

very nice very nice

A
akminocha
9/28/2023 10:36:00 AM

please help us with 1z0-1107-2 dumps

J
Jefi
9/4/2023 8:15:00 AM

please upload the practice questions

T
Thembelani
5/30/2023 2:45:00 AM

need this dumps

A
Abduraimov
4/19/2023 12:43:00 AM

preparing for this exam is overwhelming. you cannot pass without the help of these exam dumps.

P
Puneeth
10/5/2023 2:06:00 AM

new to this site but i feel it is good

A
Ashok Kumar
1/2/2024 6:53:00 AM

the correct answer to q8 is b. explanation since the mule app has a dependency, it is necessary to include project modules and dependencies to make sure the app will run successfully on the runtime on any other machine. source code of the component that the mule app is dependent of does not need to be included in the exported jar file, because the source code is not being used while executing an app. compiled code is being used instead.

M
Merry
7/30/2023 6:57:00 AM

good questions

V
VoiceofMidnight
12/17/2023 4:07:00 PM

Delayed the exam until December 29th.

U
Umar Ali
8/29/2023 2:59:00 PM

A and D are True

V
vel
8/28/2023 9:17:09 AM

good one with explanation

G
Gurdeep
1/18/2024 4:00:15 PM

This is one of the most useful study guides I have ever used.

AI Tutor 👋 I’m here to help!