Palo Alto Networks Next-Generation Firewall Engineer NGFW-Engineer Dumps in PDF

Free Palo Alto Networks NGFW-Engineer Real Questions (page: 5)

For which two purposes is an IP address configured on a tunnel interface? (Choose two.)

  1. Use of dynamic routing protocols
  2. Tunnel monitoring
  3. Use of peer IP
  4. Redistribution of User-ID

Answer(s): A,B

Explanation:

Use of dynamic routing protocols: An IP address is needed on the tunnel interface to participate in dynamic routing protocols (like OSPF, BGP, etc.) over the tunnel. This allows the firewall to advertise routes and receive updates over the tunnel.

Tunnel monitoring: The IP address on the tunnel interface can also be used for monitoring the tunnel's status. Tunnel monitoring (such as IPSec tunnel monitoring) requires an IP address on the tunnel interface to check the health and availability of the tunnel.



Which PAN-OS method of mapping users to IP addresses is the most reliable?

  1. Port mapping
  2. GlobalProtect
  3. Syslog
  4. Server monitoring

Answer(s): D

Explanation:

Server monitoring is the most reliable method for mapping users to IP addresses in PAN-OS. This method allows the firewall to monitor specific servers, such as Microsoft Active Directory (AD) or LDAP servers, to dynamically retrieve and update user-to-IP mappings. It provides a more accurate and up-to-date mapping of users to their associated IP addresses, as it directly queries user databases in real time.



In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

  1. To forward packets to the HA peer during session setup and asymmetric traffic flow
  2. To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information
  3. To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair
  4. To perform session cache synchronization among all HA peers having the same cluster ID

Answer(s): B

Explanation:

In an active/active HA configuration with two PA-Series firewalls, the HA3 interface is used primarily for the exchange of HA state information between the firewalls. This includes:
Hellos and heartbeats to monitor the status of the HA peer.

Synchronization of management plane data, which includes critical routing and User-ID information.



A PA-Series firewall with all licensable features is being installed. The customer's Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

  1. Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).
  2. Deploy the Next-Generation Firewalls as normal and install the User-ID agent.
  3. Deploy the Advanced URL Filtering license and captive portal.
  4. Deploy the explicit proxy with Kerberos authentication scheme.

Answer(s): D

Explanation:

In this scenario, the customer requires that users do not directly access websites and that a security device (the firewall) manages the connection, while also ensuring that there is authentication back to the Active Directory (AD) servers for all sessions. The explicit proxy with Kerberos authentication is the best solution because:
The explicit proxy allows the firewall to intercept user web traffic and manage the connections on behalf of users.
Kerberos authentication ensures that the user's identity is validated against the Active Directory servers before the session is allowed, fulfilling the authentication requirement.



What must be configured before a firewall administrator can define policy rules based on users and groups?

  1. User Mapping profile
  2. Authentication profile
  3. Group mapping settings
  4. LDAP Server profile

Answer(s): C

Explanation:

Before a firewall administrator can define policy rules based on users and groups, the Group Mapping settings must be configured. These settings enable the firewall to map users to their respective Active Directory (AD) groups. This mapping allows the firewall to use user and group information to create policy rules based on group membership.



Which statement applies to the relationship between Panorama-pushed Security policy and local firewall Security policy?

  1. When a policy match is found in a local firewall policy, if any Panorama shared post-rule is configured, it will still be evaluated.
  2. Local firewall rules are evaluated after Panorama pre-rules and before Panorama post-rules.
  3. Panorama post-rules can be configured to be evaluated before local firewall policy for the purpose of troubleshooting.
  4. The order of policy evaluation can be configured differently in different device groups.

Answer(s): B

Explanation:

Local firewall rules are evaluated after Panorama pre-rules (those applied before the firewall's local policies) and before Panorama post-rules (those applied after the firewall's local policies). This ensures that the local firewall rules do not override the central Panorama policy and are only applied in the appropriate order within the policy evaluation sequence.



Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?

  1. DDNS
  2. Link Duplex
  3. NetFlow
  4. LLDP

Answer(s): C

Explanation:

NetFlow is a Layer 3 (network layer) protocol that collects and monitors IP traffic flows. It is typically configured on Layer 3 interfaces because it relies on IP information for traffic flow analysis, which is not available on Layer 2 interfaces. Layer 2 interfaces handle frames within the local network, and they don't have IP-related details that NetFlow uses to generate traffic statistics.



What is a result of enabling split tunneling in the GlobalProtect portal configuration with the "Both Network Traffic and DNS" option?

  1. It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN.
  2. It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN.
  3. It allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names.
  4. It specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.

Answer(s): D

Explanation:

When split tunneling is enabled with the "Both Network Traffic and DNS" option in the GlobalProtect portal configuration, it allows the firewall to control which traffic is sent over the VPN tunnel and which is not.
Specifically, it determines which domains are resolved by the VPN-assigned DNS servers (for domains requiring VPN access) and which are resolved by local DNS servers (for domains that can be accessed without the VPN tunnel).



Share your comments for Palo Alto Networks NGFW-Engineer exam with other users:

W
whoAreWeReally
12/19/2023 8:29:00 PM

took the test last week, i did have about 15 - 20 word for word from this site on the test. (only was able to cram 600 of the questions from this site so maybe more were there i didnt review) had 4 labs, bgp, lacp, vrf with tunnels and actually had to skip a lab due to time. lots of automation syntax questions.

V
vs
9/2/2023 12:19:00 PM

no comments

J
john adenu
11/14/2023 11:02:00 AM

nice questions bring out the best in you.

O
Osman
11/21/2023 2:27:00 PM

really helpful

E
Edward
9/13/2023 5:27:00 PM

question #50 and question #81 are exactly the same questions, azure site recovery provides________for virtual machines. the first says that it is fault tolerance is the answer and second says disater recovery. from my research, it says it should be disaster recovery. can anybody explain to me why? thank you

M
Monti
5/24/2023 11:14:00 PM

iam thankful for these exam dumps questions, i would not have passed without this exam dumps.

A
Anon
10/25/2023 10:48:00 PM

some of the answers seem to be inaccurate. q10 for example shouldnt it be an m custom column?

P
PeterPan
10/18/2023 10:22:00 AM

are the question real or fake?

C
CW
7/11/2023 3:19:00 PM

thank you for providing such assistance.

M
Mn8300
11/9/2023 8:53:00 AM

nice questions

N
Nico
4/23/2023 11:41:00 PM

my 3rd purcahse from this site. these exam dumps are helpful. very helpful.

C
Chere
9/15/2023 4:21:00 AM

found it good

T
Thembelani
5/30/2023 2:47:00 AM

excellent material

V
vinesh phale
9/11/2023 2:51:00 AM

very helpfull

B
Bhagiii
11/4/2023 7:04:00 AM

well explained.

R
Rahul
8/8/2023 9:40:00 PM

i need the pdf, please.

C
CW
7/11/2023 2:51:00 PM

a good source for exam preparation

A
Anchal
10/23/2023 4:01:00 PM

nice questions

J
J Nunes
9/29/2023 8:19:00 AM

i need ielts general training audio guide questions

A
Ananya
9/14/2023 5:16:00 AM

please make this content available

S
Swathi
6/4/2023 2:18:00 PM

content is good

L
Leo
7/29/2023 8:45:00 AM

latest dumps please

L
Laolu
2/15/2023 11:04:00 PM

aside from pdf the test engine software is helpful. the interface is user-friendly and intuitive, making it easy to navigate and find the questions.

Z
Zaynik
9/17/2023 5:36:00 AM

questions and options are correct, but the answers are wrong sometimes. so please check twice or refer some other platform for the right answer

M
Massam
6/11/2022 5:55:00 PM

90% of questions was there but i failed the exam, i marked the answers as per the guide but looks like they are not accurate , if not i would have passed the exam given that i saw about 45 of 50 questions from dump

A
Anonymous
12/27/2023 12:47:00 AM

answer to this question "what administrative safeguards should be implemented to protect the collected data while in use by manasa and her product management team? " it should be (c) for the following reasons: this administrative safeguard involves controlling access to collected data by ensuring that only individuals who need the data for their job responsibilities have access to it. this helps minimize the risk of unauthorized access and potential misuse of sensitive information. while other options such as (a) documenting data flows and (b) conducting a privacy impact assessment (pia) are important steps in data protection, implementing a "need to know" access policy directly addresses the issue of protecting data while in use by limiting access to those who require it for legitimate purposes. (d) is not directly related to safeguarding data during use; it focuses on data transfers and location.

J
Japles
5/23/2023 9:46:00 PM

password lockout being the correct answer for question 37 does not make sense. it should be geofencing.

F
Faritha
8/10/2023 6:00:00 PM

for question 4, the righr answer is :recover automatically from failures

A
Anonymous
9/14/2023 4:27:00 AM

question number 4s answer is 3, option c. i

P
p das
12/7/2023 11:41:00 PM

very good questions

A
Anna
1/5/2024 1:12:00 AM

i am confused about the answers to the questions. are the answers correct?

B
Bhavya
9/13/2023 10:15:00 AM

very usefull

R
Rahul Kumar
8/31/2023 12:30:00 PM

need certification.

D
Diran Ole
9/17/2023 5:15:00 PM

great exam prep

AI Tutor 👋 I’m here to help!