Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Dumps in PDF

Free Palo Alto Networks NGFW-Engineer Real Questions (page: 2)

An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device certificates have been installed, and Panorama and the firewalls have been successfully onboarded to Strata Logging Service.

Which configuration task must be performed to start sending the logs to Strata Logging Service and continue forwarding them to the Panorama log collectors as well?

  1. Modify all active Log Forwarding profiles to select the "Cloud Logging" option in each profile match list in the appropriate device groups.
  2. Enable the "Panorama/Cloud Logging" option in the Logging and Reporting Settings section under Device -- > Setup --> Management in the appropriate templates.
  3. Select the "Enable Duplicate Logging" option in the Cloud Logging section under Device --> Setup --> Management in the appropriate templates.
  4. Select the "Enable Cloud Logging" option in the Cloud Logging section under Device --> Setup --> Management in the appropriate templates.

Answer(s): D

Explanation:

To begin sending logs to Strata Logging Service while continuing to forward them to Panorama log collectors, the necessary configuration is to enable Cloud Logging. This option is configured in the Cloud Logging section under Device Setup Management in the appropriate templates. Once enabled, this ensures that logs are directed both to the Strata Logging Service (cloud) and to the Panorama log collectors.



An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all interfaces must be assigned to the same VLAN. During initial testing, it is reported that clients located behind the various interfaces cannot communicate with each other.

Which action taken by the engineer will resolve this issue?

  1. Configure each interface to belong to the same Layer 2 zone and enable IP routing between them.
  2. Assign each interface to the appropriate Layer 2 zone and configure a policy that allows traffic within the VLAN.
  3. Assign each interface to the appropriate Layer 2 zone and configure Security policies for interfaces not assigned to the same zone.
  4. Enable IP routing between the interfaces and configure a Security policy to allow traffic between interfaces within the VLAN.

Answer(s): B

Explanation:

In a Layer 2 configuration, interfaces are typically grouped into the same Layer 2 zone.
When the interfaces are assigned to the same VLAN, the firewall will treat them as part of the same broadcast domain.
In a Layer 2 setup, interfaces must be in the same Layer 2 zone to allow the traffic within the same VLAN to pass. Additionally, a security policy must be configured to allow traffic within this VLAN or zone. This will resolve the issue by ensuring that traffic is permitted between clients behind different interfaces assigned to the same VLAN.



In a Palo Alto Networks environment, GlobalProtect has been enabled using certificate-based authentication for both users and devices. To ensure proper validation of certificates, one or more certificate profiles are configured.

What function do certificate profiles serve in this context?

  1. They store private keys for users and devices, effectively allowing the firewall to issue or reissue certificates if the primary Certificate Authority (CA) becomes unavailable, providing a built-in fallback CA to maintain continuous certificate issuance and authentication.
  2. They define trust anchors (root / intermediate Certificate Authorities (CAs)), specify revocation checks (CRL/OCSP), and map certificate attributes (e.g., CN) for user or device authentication.
  3. They allow the firewall to bypass certificate validation entirely, focusing only on username / password-based authentication.
  4. They provide a one-click mechanism to distribute certificates to all endpoints without relying on external enrollment methods.

Answer(s): B

Explanation:

In the context of GlobalProtect with certificate-based authentication, certificate profiles are used to ensure proper validation of the certificates. They perform the following functions:
Define trust anchors, which are the root and intermediate Certificate Authorities (CAs) that the firewall trusts to authenticate certificates.
Specify revocation checks, such as CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol), to ensure that the certificates being used have not been revoked.
Map certificate attributes, such as the Common Name (CN), which helps in authenticating users and devices based on their certificates.



How does a Palo Alto Networks NGFW respond when the preemptive hold time is set to 0 minutes during configuration of route monitoring?

  1. It does not accept the configuration.
  2. It accepts the configuration but throws a warning message.
  3. It removes the static route because 0 is a NULL value.
  4. It reinstalls the route into the routing information base (RIB) as soon as the path comes up.

Answer(s): D

Explanation:

When the preemptive hold time is set to 0 minutes in route monitoring, the firewall is configured to immediately reinstall the route into the Routing Information Base (RIB) as soon as the monitored path comes up. This essentially means that the firewall will not wait for any predefined hold time before reestablishing the route once the monitoring condition is met, ensuring a faster recovery of the route.



After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish.

Which of the following actions will resolve this issue?

  1. Ensure that an active static or dynamic route exists for the VPN peer with next hop as the tunnel interface.
  2. Configure the Proxy IDs to match the Cisco ASA configuration.
  3. Check that IPSec is enabled in the management profile on the external interface.
  4. Validate the tunnel interface VLAN against the peer's configuration.

Answer(s): B

Explanation:

The Proxy IDs (or Traffic Selectors) define the local and remote subnets that are allowed to communicate over the IPSec tunnel. If the Proxy IDs on the Palo Alto Networks firewall do not match the configuration on the Cisco ASA, the tunnel will fail to establish because the firewalls won't agree on which traffic to encrypt.
Ensuring that the Proxy IDs match between the Palo Alto Networks firewall and the Cisco ASA will resolve the issue.



Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE) interface on a Palo Alto Networks high availability (HA) active/passive pair?

  1. Set Transmission Rate to "fast."
  2. Set passive link state to "Auto."
  3. Set "Enable in HA Passive State."
  4. Set LACP mode to "Active."

Answer(s): C

Explanation:

In a High Availability (HA) active/passive pair configuration, when setting up an Aggregate Ethernet (AE) interface, enabling the "Enable in HA Passive State" option allows the interface to participate in LACP (Link Aggregation Control Protocol) even when the system is in the passive state. This ensures that the pre-negotiation of the LACP link occurs, allowing the link aggregation to be ready as soon as the firewall becomes active.



When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?

  1. Service graph
  2. Ansible automation modules
  3. Panorama role-based access control (RBAC)
  4. CN-Series firewalls

Answer(s): D

Explanation:

When integrating Kubernetes with Palo Alto Networks NGFWs, the CN-Series firewalls are specifically designed to secure traffic between microservices in containerized environments. These firewalls provide advanced security features like Application Identification (App-ID), URL filtering, and Threat Prevention to secure communication between containers and microservices within a Kubernetes environment.



When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

  1. Flood Protection
  2. Protocol Protection
  3. Packet-Based Attack Protection
  4. Reconnaissance Protection

Answer(s): B

Explanation:

In the context of a Zone Protection profile, Protocol Protection is the section used to configure protections against activities such as spoofed IP addresses and split handshake session establishment attempts.
These types of attacks typically involve manipulating protocol behaviors, such as IP address spoofing or session hijacking, and are mitigated by the Protocol Protection settings.



Share your comments for Palo Alto Networks NGFW-Engineer exam with other users:

R
Randall
9/28/2023 8:25:00 PM

on question 22, option b-once per session is also valid.

T
Tshegofatso
8/28/2023 11:51:00 AM

this website is very helpful

P
philly
9/18/2023 2:40:00 PM

its my first time exam

B
Beexam
9/4/2023 9:06:00 PM

correct answers are device configuration-enable the automatic installation of webview2 runtime. & policy management- prevent users from submitting feedback.

R
RAWI
7/9/2023 4:54:00 AM

is this dump still valid? today is 9-july-2023

A
Annie
6/7/2023 3:46:00 AM

i need this exam.. please upload these are really helpful

S
Shubhra Rathi
8/26/2023 1:08:00 PM

please upload the oracle 1z0-1059-22 dumps

S
Shiji
10/15/2023 1:34:00 PM

very good questions

R
Rita Rony
11/27/2023 1:36:00 PM

nice, first step to exams

A
Aloke Paul
9/11/2023 6:53:00 AM

is this valid for chfiv9 as well... as i am reker 3rd time...

C
Calbert Francis
1/15/2024 8:19:00 PM

great exam for people taking 220-1101

A
Ayushi Baria
11/7/2023 7:44:00 AM

this is very helpfull for me

A
alma
8/25/2023 1:20:00 PM

just started preparing for the exam

C
CW
7/10/2023 6:46:00 PM

these are the type of questions i need.

N
Nobody
8/30/2023 9:54:00 PM

does this actually work? are they the exam questions and answers word for word?

S
Salah
7/23/2023 9:46:00 AM

thanks for providing these questions

R
Ritu
9/15/2023 5:55:00 AM

interesting

R
Ron
5/30/2023 8:33:00 AM

these dumps are pretty good.

S
Sowl
8/10/2023 6:22:00 PM

good questions

B
Blessious Phiri
8/15/2023 2:02:00 PM

dbua is used for upgrading oracle database

R
Richard
10/24/2023 6:12:00 AM

i am thrilled to say that i passed my amazon web services mls-c01 exam, thanks to study materials. they were comprehensive and well-structured, making my preparation efficient.

J
Janjua
5/22/2023 3:31:00 PM

please upload latest ibm ace c1000-056 dumps

M
Matt
12/30/2023 11:18:00 AM

if only explanations were provided...

R
Rasha
6/29/2023 8:23:00 PM

yes .. i need the dump if you can help me

A
Anonymous
7/25/2023 8:05:00 AM

good morning, could you please upload this exam again?

A
AJ
9/24/2023 9:32:00 AM

hi please upload sre foundation and practitioner exam questions

P
peter parker
8/10/2023 10:59:00 AM

the exam is listed as 80 questions with a pass mark of 70%, how is your 50 questions related?

B
Berihun
7/13/2023 7:29:00 AM

all questions are so important and covers all ccna modules

N
nspk
1/19/2024 12:53:00 AM

q 44. ans:- b (goto setup > order settings > select enable optional price books for orders) reference link --> https://resources.docs.salesforce.com/latest/latest/en-us/sfdc/pdf/sfom_impl_b2b_b2b2c.pdf(decide whether you want to enable the optional price books feature. if so, select enable optional price books for orders. you can use orders in salesforce while managing price books in an external platform. if you’re using d2c commerce, you must select enable optional price books for orders.)

M
Muhammad Rawish Siddiqui
12/2/2023 5:28:00 AM

"cost of replacing data if it were lost" is also correct.

A
Anonymous
7/14/2023 3:17:00 AM

pls upload the questions

M
Mukesh
7/10/2023 4:14:00 PM

good questions

E
Elie Abou Chrouch
12/11/2023 3:38:00 AM

question 182 - correct answer is d. ethernet frame length is 64 - 1518b. length of user data containing is that frame: 46 - 1500b.

D
Damien
9/23/2023 8:37:00 AM

i need this exam pls

AI Tutor 👋 I’m here to help!