NGFW-Engineer Practice Questions

A network security engineer needs to permit traffic between two distinct VSYS that reside on one Palo Alto Networks firewall. This traffic will not egress the firewall to an external device.

Which zone type must be configured to act as the logical source and destination for this traffic flow?

A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific list of local and remote IP address subnets that are permitted through the tunnel. The initial tunnel configuration on the PAN-OS firewall fails during the IKE Phase 2 exchange.

Which configuration step is essential to ensure compatibility with the policy-based Check Point gateway?

When multiple routes have the same destination prefix, which attribute does the firewall use first to determine route preference?

An organization is adopting an Infrastructure as Code (IaC) approach to manage its entire network environment, including its Palo Alto Networks firewalls. The organization has chosen Ansible as its primary tool for this initiative.

How does Ansible enable an IaC model for managing this organization's firewalls?

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability and avoiding any service disruption from a potentially problematic content update.

To align with Palo Alto Networks best practices for such environments, which threshold should the administrator set for content updates?

A security administrator is hardening the ingress zone of an NGFW. The goal is to prevent attacks that rely on malformed IP address packets with incorrect header lengths or invalid TCP packets that have both the SYN and FIN flags set.

Within which section of a Zone Protection profile should these protections be configured?

A large organization has separate production and development environments, each with its own set of firewalls managed by Panorama. The organization uses Cloud Identity Engine (CIE) to consolidate user identities from Active Directory (AD) and Okta.

A security mandate requires that development firewalls must only learn about "DEV" and "QA" user groups, while production firewalls should only see "Prod" user groups.

How can an administrator enforce this separation using CIE with minimal complexity?

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?

An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.

Which additional configuration task is required to resolve this issue?