Paloalto Networks NGFW Engineer 시험

Question No : 1

Which interface types should be used to configure link monitoring for a high availability (HA) deployment on a Palo Alto Networks NGFW?

• A.HA, Virtual Wire, and Layer 2
• B.Tap, Virtual Wire, and Layer 3
• C.Virtual Wire, Layer 2, and Layer 3
• D.HA, Layer 2, and Layer 3

답을 확인하기

정답:

Question No : 2

Which statement applies to Log Collector Groups?

• A.Log redundancy is available only if each Log Collector has the same amount of total disk storage.
• B.Enabling redundancy increases the log processing traffic in a Collector Group by 50%.
• C.In any single Collector Group, all the Log Collectors must run on the same Panorama model.
• D.The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares.

답을 확인하기

정답:

Question No : 3

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.
Which approach ensures continuous, secure connectivity and consistent policy enforcement?

• A.Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.
• B.Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.
• C.Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.
• D.Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

답을 확인하기

정답:

Question No : 4

An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML .
Which two actions meet the criteria? (Choose two.)

• A.Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.
• B.Create an authentication sequence that includes both the “RADIUS” Server Profile and “SAML Identity Provider” Server Profile to run the two services in tandem.
• C.Create and apply an authentication profile with the “SAML Identity Provider” Server Profile.
• D.Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile.

답을 확인하기

정답:

Question No : 5

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements .
Which approach achieves this segmentation of identity data?

• A.Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.
• B.Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit.
• C.Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).
• D.Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

답을 확인하기

정답:

Question No : 6

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

• A.Isolated
• B.Transient
• C.External
• D.Internal

답을 확인하기

정답:

Question No : 7

Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)

• A.It is associated with an interface within a VSYS of a firewall.
• B.It is a security object associated with a specific virtual router of a VSY
• C.It is not associated with an interface; it is associated with a VSYS itself.
• D.It is a security object associated with a specific VSY

답을 확인하기

정답:

Question No : 8

An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?

• A.Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.
• B.Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.
• C.Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.
• D.Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.

답을 확인하기

정답:

Question No : 9

Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?

• A.Traffic, User-ID, URL
• B.Traffic, threat, data filtering, User-ID
• C.GlobalProtect, traffic, application statistics
• D.Threat, GlobalProtect, application statistics, WildFire submissions

답을 확인하기

정답:

Question No : 10

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?

• A.Restarting the local firewall, running a packet capture, accessing the firewall CLI
• B.Modification of local security rules, modification of a Layer 3 interface, modification of the firewall device hostname
• C.Modification of pre-security rules, modification of a virtual router, modification of an IKE Gateway Network Profile
• D.Modification of post NAT rules, creation of new views on the local firewall ACC tab, creation of local custom reports

답을 확인하기

정답:

Question No : 11

An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.
Which additional configuration task is required to resolve this issue?

• A.Create a transit VSYS and route all inter-VSYS traffic through it.
• B.Add each VSYS to the list of visible virtual systems of the other VSY
• C.Enable the “allow inter-VSYS traffic” option in both external zone configurations.
• D.Create Security policies to allow the traffic between the two external zones.

답을 확인하기

정답:

Question No : 12

Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)

• A.Select IKE v2, enable the Advanced Options PQ PPK, then set a 64+ character string for the post-quantum pre shared key.
• B.Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate.
• C.Select IKE v2 Preferred, enable the Advanced Options PQ KEM, then add one or more “Rounds.”
• D.Select IKE v2, enable the Advanced Options PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one or more “Rounds.”

답을 확인하기

정답:

Question No : 13

An engineer at a managed services provider is updating an application that allows its customers to request firewall changes to also manage SD-WAN. The application will be able to make any approved changes directly to devices via API .
What is a requirement for the application to create SD-WAN interfaces?

• A.REST API’s “sdwanInterfaceprofiles” parameter on a Panorama device
• B.REST API’s “sdwanInterfaces” parameter on a firewall device
• C.XML API’s “sdwanprofiles/interfaces” parameter on a Panorama device
• D.XML API’s “InterfaceProfiles/sdwan” parameter on a firewall device

답을 확인하기

정답:

Question No : 14

When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?

• A.Deploying Ansible scripts for zone-specific scaling
• B.Implementing Terraform templates for redundancy within one availability zone
• C.Using load balancer and health probes
• D.Configuring active/active HA

답을 확인하기

정답:

Question No : 15

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.
Which approach meets these requirements?

• A.Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement.
• B.Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed.
• C.Use Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster, ensuring local insertion into the service mesh or CN
• D.Manage all CN-Series firewalls centrally from Panorama, applying uniform Security policies across on-premises and cloud clusters.
• E.Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama.

답을 확인하기

정답: