Paloalto Networks NGFW Engineer 시험

Question No : 1

An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.
What is the recommended method to achieve this goal?

• A.Deploy multiple, independent VM-Series firewalls in different Availability Zones and use an Azure Load Balancer to distribute traffic to them.
• B.Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails.
• C.Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target.
• D.Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection.

답을 확인하기

정답:

Question No : 2

What is the purpose of assigning an Admin Role Profile to a user in a Palo Alto Networks NGFW?

• A.Allow access to all resources without restrictions.
• B.Enable multi-factor authentication (MFA) for administrator access.
• C.Define granular permissions for management tasks.
• D.Restrict access to sensitive report data.

답을 확인하기

정답:

Question No : 3

What are the phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution?

• A.Scanning, Isolation, Whitelisting, Logging
• B.Discovery, Deployment, Detection, Prevention
• C.Policy Generation, Discovery, Enforcement, Logging
• D.Profiling, Policy Generation, Enforcement, Reporting

답을 확인하기

정답:

Question No : 4

Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?

• A.Import the new subordinate CA certificate into the trust stores of all client devices.
• B.Set the subordinate CA certificate as the default routing certificate for all network traffic.
• C.Configure the subordinate CA to issue certificates with indefinite validity periods.
• D.Disable all existing SSL decryption rules until the new certificate is fully propagated.

답을 확인하기

정답:

Question No : 5

Which CLI command is used to configure the management interface as a DHCP client?

• A.set network dhcp interface management
• B.set network dhcp type management-interface
• C.set deviceconfig system type dhcp-client
• D.set deviceconfig management type dhcp-client

답을 확인하기

정답:

Question No : 6

Which interface types should be used to configure link monitoring for a high availability (HA) deployment on a Palo Alto Networks NGFW?

• A.HA, Virtual Wire, and Layer 2
• B.Tap, Virtual Wire, and Layer 3
• C.Virtual Wire, Layer 2, and Layer 3
• D.HA, Layer 2, and Layer 3

답을 확인하기

정답:

Question No : 7

Which statement applies to Log Collector Groups?

• A.Log redundancy is available only if each Log Collector has the same amount of total disk storage.
• B.Enabling redundancy increases the log processing traffic in a Collector Group by 50%.
• C.In any single Collector Group, all the Log Collectors must run on the same Panorama model.
• D.The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares.

답을 확인하기

정답:

Question No : 8

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.
Which approach ensures continuous, secure connectivity and consistent policy enforcement?

• A.Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.
• B.Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.
• C.Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.
• D.Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

답을 확인하기

정답:

Question No : 9

An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML.
Which two actions meet the criteria? (Choose two.)

• A.Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem.
• B.Create an authentication sequence that includes both the “RADIUS” Server Profile and “SAML Identity Provider” Server Profile to run the two services in tandem.
• C.Create and apply an authentication profile with the “SAML Identity Provider” Server Profile.
• D.Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile.

답을 확인하기

정답:

Question No : 10

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.
Which approach achieves this segmentation of identity data?

• A.Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.
• B.Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit.
• C.Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).
• D.Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

답을 확인하기

정답:

Question No : 11

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

• A.Isolated
• B.Transient
• C.External
• D.Internal

답을 확인하기

정답:

Question No : 12

Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)

• A.It is associated with an interface within a VSYS of a firewall.
• B.It is a security object associated with a specific virtual router of a VSY
• C.It is not associated with an interface; it is associated with a VSYS itself.
• D.It is a security object associated with a specific VSY

답을 확인하기

정답:

Question No : 13

An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?

• A.Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.
• B.Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.
• C.Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.
• D.Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.

답을 확인하기

정답:

Question No : 14

Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?

• A.Traffic, User-ID, URL
• B.Traffic, threat, data filtering, User-ID
• C.GlobalProtect, traffic, application statistics
• D.Threat, GlobalProtect, application statistics, WildFire submissions

답을 확인하기

정답:

Question No : 15

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?

• A.Restarting the local firewall, running a packet capture, accessing the firewall CLI
• B.Modification of local security rules, modification of a Layer 3 interface, modification of the firewall device hostname
• C.Modification of pre-security rules, modification of a virtual router, modification of an IKE Gateway Network Profile
• D.Modification of post NAT rules, creation of new views on the local firewall ACC tab, creation of local custom reports

답을 확인하기

정답: