Palo Alto Networks Next-Generation Firewall Engineer (NGFW-Engineer) Free Practice Test

Question 1

An organization uses Cloud Identity Engine (CIE) to gather user information from its on-premises Active Directory (AD) for employees and a separate Azure AD for external partners. Due to compliance regulations, the firewalls protecting the internal network must not have any identity information about external partners.
Conversely, firewalls in the partner-facing DMZ should only be aware of partner identities.
Which CIE feature is designed to solve this data partitioning requirement?

A. Multiple tenants, where a separate CIE tenant is required for each user directory to maintain isolation

B. Directory sync filtering, which is used at the source to prevent specific OUs from being imported into CIE

C. Panorama templates, which can be used to push different User-ID agent configurations to each firewall group

D. Segments, which can be configured to create distinct, filter-based views of users and groups that are then redistributed only to the appropriate firewalls

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

What is a result of enabling split tunneling in the GlobalProtect portal configuration with the "Both Network Traffic and DNS" option?

A. It specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.

B. It allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names.

C. It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN.

D. It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

By default, which type of traffic is configured by service route configuration to use the management interface?

A. Autonomous Digital Experience Manager (ADEM)

B. Virtual system (VSYS)

C. Security zone

D. IPSec tunnel

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

An organization is migrating its data center to Amazon Web Services (AWS) and needs to deploy VM-Series firewalls to inspect all ingress and egress traffic. The solution must provide both resilience across multiple Availability Zones and the ability to scale horizontally.
Which combination of AWS services and Palo Alto Networks components is required for this use case?

A. PAN-OS active/active high availability (HA) pair with an AWS Transit Gateway

B. Amazon EC2 Auto Scaling group with VM-Series firewalls and an Amazon Gateway Load Balancer

C. Single VM-Series firewall with an Elastic IP address that can be re-associated upon failure

D. AWS Lambda function that monitors the firewall's health and re-routes traffic using the AWS API

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

A network security engineer is reviewing the dynamic update settings for a fleet of firewalls in a financial institution that has a policy prioritizing operational stability above all else. The engineer notes that the current content update threshold is set to 24 hours.
Following the Palo Alto Networks recommended best practices for mission-critical deployments, which adjustment should be made to the threshold?

A. Change to "download only" and schedule manual installation.

B. Reset to reconfirm 24 hours.

C. Increase to 48 hours.

D. Decrease to 12 hours.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.
Which approach ensures continuous, secure connectivity and consistent policy enforcement?

A. Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.

B. Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.

C. Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

D. Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

An engineer configures a PA-440 firewall to act as a switch by creating several Layer 2 interfaces and assigning them all to VLAN 20. A file server is connected to interface ethernet1/1, and client workstations are connected to interfaces ethernet1/2 and ethemet1/3. All devices are in VLAN 20. The clients are unable to access the file server.
Which configuration step to allow this communication by default is missing?

A. Create an "allow" Security policy with the source and destination VLAN set to "VLAN 20".

B. Create a Layer 3 subinterface for VLAN 20 to enable routing.

C. Place ethernet1/1, ethernet1/2, and ethernet1/3 into the same Layer 2 zone.

D. Create an Aggregate Ethernet (AE) group that includes all three interfaces.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Palo Alto Networks Next-Generation Firewall Engineer (NGFW-Engineer) Free Practice Test