Questions for the NGFW ENGINEER were updated on : Dec 01 ,2025
What is the purpose of assigning an Admin Role Profile to a user in a Palo Alto Networks NGFW?
C
Explanation:
Assigning an Admin Role Profile to a user in a Palo Alto Networks NGFW is used to define granular
permissions for management tasks. This allows administrators to control what actions a user can
perform on the firewall, such as configuration changes, monitoring, and logging. By assigning
different admin roles, you can ensure that users have access only to the areas and tasks they need,
enforcing the principle of least privilege.
What are the phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution?
B
Explanation:
The phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution are designed
to help identify and protect against potential threats in real time by using AI to detect and prevent
malicious activities within the network.
Discovery: Identifying applications, services, and behaviors within the network to understand
baseline activity.
Deployment: Implementing the solution into the network and integrating with existing security
measures.
Detection: Monitoring traffic and activities to identify abnormal or malicious behavior.
Prevention: Taking action to stop threats once detected, such as blocking malicious traffic or stopping
exploit attempts.
Which configuration step is required when implementing a new self-signed root certificate authority
(CA) certificate for SSL decryption on a Palo Alto Networks firewall?
A
Explanation:
When implementing a new self-signed root certificate authority (CA) for SSL decryption on a Palo
Alto Networks firewall, the subordinate CA certificate (which is generated by the firewall) must be
imported into the trust stores of all client devices. This ensures that client devices trust the firewall as
a valid certificate authority, enabling the firewall to decrypt and re-encrypt SSL traffic.
Importing the subordinate CA certificate into the client devices' trust stores is necessary for those
devices to trust the new self-signed root CA and properly handle SSL decryption traffic.
Which CLI command is used to configure the management interface as a DHCP client?
D
Explanation:
To configure the management interface as a DHCP client on a Palo Alto Networks NGFW, the correct
CLI command is set deviceconfig management type dhcp-client.
This command configures the management interface to obtain an IP address dynamically using DHCP.
Which interface types should be used to configure link monitoring for a high availability (HA)
deployment on a Palo Alto Networks NGFW?
C
Explanation:
When configuring link monitoring for high availability (HA) on a Palo Alto Networks NGFW, the
following interface types are supported:
Virtual Wire: Used when you have a transparent mode firewall deployment, where the firewall
operates at Layer 2 to monitor traffic between two network segments.
Layer 2: Also used in transparent mode, where the firewall operates as a Layer 2 device and can be
configured for link monitoring.
Layer 3: Used in routed mode, where the firewall is involved in routing traffic and can also be
configured to monitor links.
Which statement applies to Log Collector Groups?
D
Explanation:
The maximum number of Log Collectors that can be added to a Log Collector Group is 18 plus 2 hot
spares, ensuring redundancy and availability in case of failure. This allows for a total of up to 20 Log
Collectors in a group, providing sufficient scalability and reliability for log collection.
An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and
requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via
Panorama and deploy domain-issued machine certificates via Group Policy.
Which approach ensures continuous, secure connectivity and consistent policy enforcement?
B
Explanation:
To ensure continuous, secure connectivity and consistent policy enforcement with GlobalProtect in
an enterprise environment that uses user- and machine-based certificate authentication, the
approach should:
Distribute root and intermediate CAs via Panorama templates: This ensures that all firewalls
managed by Panorama share the same trusted certificate authorities for consistency and security.
Use distinct certificate profiles for user vs. machine certificates: This enables separate handling of
user and machine authentication, ensuring that both types of certificates are managed and validated
appropriately.
Reference an internal OCSP responder: By integrating OCSP checks, the firewall can validate
certificate revocation in real-time, meeting the security requirement while minimizing the overhead
and latency associated with traditional CRLs (Certificate Revocation Lists).
Automate certificate deployment with Group Policy: This ensures that machine certificates are
deployed in a consistent and scalable manner across the enterprise, reducing manual intervention
and minimizing user disruption.
This approach supports the requirements for pre-logon, OCSP checks, and minimal user disruption,
while maintaining a secure, automated, and consistent authentication process across all firewalls
managed via Panorama.
An engineer is implementing a new rollout of SAML for administrator authentication across a
company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently
performed with RADIUS, which will remain available for six months, until it is decommissioned. The
company wants both authentication types to be running in parallel during the transition to SAML.
Which two actions meet the criteria? (Choose two.)
B, D
Explanation:
To enable both RADIUS and SAML authentication to run in parallel during the transition period, you
need to configure an authentication sequence and an authentication profile that includes both
authentication methods.
By creating an authentication sequence that includes both RADIUS and SAML server profiles, the
firewall will attempt authentication with RADIUS first and, if that fails, will fall back to SAML. This
enables both authentication types to function simultaneously during the transition period.
You can also configure an authentication profile that includes both the RADIUS Server Profile and the
SAML Identity Provider server profile. This setup allows the firewall to use both RADIUS and SAML for
authentication requests, and it will check both authentication methods in parallel.
A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data
from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for
different regional business units. Each region’s firewalls, managed via Panorama, must only receive
the user and group information relevant to that region. The organization aims to minimize
administrative overhead while meeting data sovereignty requirements.
Which approach achieves this segmentation of identity data?
B
Explanation:
To meet the requirement of data isolation for different regional business units while minimizing
administrative overhead, the best approach is to establish separate Cloud Identity Engine (CIE)
tenants for each business unit. Each tenant would be integrated with the relevant identity sources
(such as on-premises AD, Azure AD, and Okta) for that specific region. This ensures that the identity
data for each region is kept isolated and only relevant user and group data is distributed to the
respective regional firewalls.
By maintaining a strict one-to-one mapping between CIE tenants and business units, the organization
ensures that each region’s firewall only receives the user and group data relevant to that region, thus
meeting data sovereignty requirements and minimizing administrative complexity.
Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic
leaving the firewall?
B
Explanation:
The Transient zone type is used to allow traffic between zones in different virtual systems (VSYS) on a
Palo Alto Networks firewall without the traffic leaving the firewall. It provides a way for virtual
systems to communicate with each other by acting as a temporary or intermediary zone. Traffic can
pass through the firewall between the virtual systems without requiring physical interfaces or leaving
the device.
Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo
Alto Networks firewall? (Choose two.)
A, D
Explanation:
In the context of virtual systems (VSYS) on a Palo Alto Networks firewall, the external zone is typically
associated with specific interfaces within a VSYS. Zones are fundamental security objects used to
define traffic flow between interfaces, and the external zone would be used for interfaces that
connect to external networks.
An external zone is associated with an interface within a VSYS of the firewall. This ensures that traffic
from specific interfaces can be classified as belonging to the external zone, allowing the firewall to
apply appropriate security policies.
The external zone is indeed a security object that is specific to a given VSYS, as each VSYS can have its
own set of zones that are isolated from others.
An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The
environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA)
scenario?
A
Explanation:
In an active/passive HA setup, the recommended process for upgrading involves minimizing
downtime and ensuring traffic continuity by using the failover process:
Suspend the active firewall: This triggers a failover to the passive unit, making it the active unit.
Upgrade the former passive (now active) unit: With traffic now running on the previously passive
unit, upgrade the suspended unit while the active unit continues handling traffic.
Confirm proper operation: Once the upgrade is complete, verify that the upgraded unit is functioning
properly.
Fail traffic back: Once the upgraded firewall is confirmed to be working, fail the traffic back to the
original active unit and upgrade the remaining firewall.
Which set of options is available for detailed logs when building a custom report on a Palo Alto
Networks NGFW?
B
Explanation:
When building a custom report on a Palo Alto Networks NGFW, you can select detailed logs that
provide specific insights into various aspects of firewall activity. The available options for detailed
logs typically include:
Traffic logs: These provide information on the network traffic passing through the firewall.
Threat logs: These logs capture data related to identified security threats, such as malware or
intrusion attempts.
Data filtering logs: These logs capture events related to data filtering policies, such as preventing the
transfer of sensitive data.
User-ID logs: These logs associate user identities with the traffic and activities observed on the
firewall, enabling user-based policy enforcement.
Without performing a context switch, which set of operations can be performed that will affect the
operation of a connected firewall on the Panorama GUI?
B
Explanation:
In Panorama, without performing a context switch, the administrator can perform local configuration
tasks directly on the connected firewall. The following operations can be done:
Modification of local security rules: Security rules can be modified directly on the connected firewall
from the Panorama GUI.
Modification of a Layer 3 interface: Changes to the Layer 3 interfaces on the connected firewall can
be done from Panorama, without needing to switch to the firewall's local interface.
Modification of the firewall device hostname: The firewall's hostname can be changed via Panorama.
An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system
(VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the
firewall (no external physical connections). The interfaces for each VSYS are assigned to separate
virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been
created correctly for each VSYS. Security policies have been added to permit the desired traffic
between each zone and its respective external zone. However, the desired traffic is still unable to
successfully pass from one VSYS to the other in either direction.
Which additional configuration task is required to resolve this issue?
B
Explanation:
In Palo Alto Networks firewalls, each virtual system (VSYS) is typically isolated from other VSYSs,
meaning that traffic between different VSYSs cannot pass through the firewall by default. In this case,
since the interfaces for each VSYS are assigned to separate virtual routers (VRs), and the desired
traffic is still not passing between the two VSYSs, the firewall needs to be explicitly configured to
allow traffic between them.
The required configuration is to add each VSYS to the list of visible virtual systems of the other VSYS.
This allows inter-VSYS communication to be enabled, effectively permitting the traffic to pass
between the zones of different VSYSs.