Palo Alto Networks NGFW-Engineer - Next-Generation Firewall Engineer Certification Exam
Question #1 (Topic: Demo Questions)
An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.
What is the effect of configuring this split DNS policy?
Correct Answer: A
Explanation:
Basic Concept: Split DNS lets GlobalProtect resolve selected domains through VPN DNS while leaving other names to local DNS. This improves performance without breaking internal name resolution.
Basic Concept: Split DNS lets GlobalProtect resolve selected domains through VPN DNS while leaving other names to local DNS. This improves performance without breaking internal name resolution.
Why A is Correct: The policy selectively resolves listed corporate domains through the tunnel and leaves all other lookups local.
Why B is Wrong: It blocks access to all domains that are not explicitly listed in the split tunnel configuration. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why C is Wrong: It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why D is Wrong: It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Question #2 (Topic: Demo Questions)
By default, which type of traffic is configured by service route configuration to use the management interface?
Correct Answer: D
Explanation:
By default, the Autonomous Digital Experience Manager (ADEM) traffic is configured to use the management interface in a Palo Alto Networks firewall. The management interface is typically used for management-related traffic, such as monitoring and logging, and it is configured to handle ADEM-related traffic for the optimal performance of digital experience monitoring features. This default configuration helps ensure that ADEM traffic does not interfere with regular traffic that may traverse other interfaces, such as traffic from security zones or IPSec tunnels.
Question #3 (Topic: Demo Questions)
An automation engineer is developing a Python script to standardize SD-WAN deployments across multiple customer tenants in Panorama. A key requirement is to programmatically create path quality profiles to monitor link performance based on latency, jitter, and packet loss.
Which API call is required for this task?
Correct Answer: C
Explanation:
Basic Concept: SD-WAN path quality profiles measure latency, jitter, and packet loss. Panorama REST API endpoints support programmatic profile creation for managed deployments.
Basic Concept: SD-WAN path quality profiles measure latency, jitter, and packet loss. Panorama REST API endpoints support programmatic profile creation for managed deployments.
Why C is Correct: The SDWanPathQualityProfiles REST object on Panorama is the correct API target for creating path quality profiles centrally.
Why A is Wrong: XML API command with an xpath of config/devices/entry/vsys/entry/path-quality-profiles on Panorama is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.
Why B is Wrong: XML API command with an xpath of sdwan/path-quality-profiles on a managed firewall is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.
Why D is Wrong: POST request to the pathMonitoringProfiles object endpoint via the REST API on a managed firewall is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.
Question #4 (Topic: Demo Questions)
What are two valid zone types that can be selected from the zone configuration menu, per Palo Alto Networks best practices? (Choose two.)
Correct Answer: A, B
Explanation:
Basic Concept: Zone type is the PAN-OS category that matches interface mode. Valid selectable zone types include Layer 2 and Layer 3, among others.
Basic Concept: Zone type is the PAN-OS category that matches interface mode. Valid selectable zone types include Layer 2 and Layer 3, among others.
Why A and B are Correct: Layer 3 and Layer 2 are valid zone types; Management and DMZ are not PAN-OS zone types, although DMZ is often used as a zone name.
Why C is Wrong: Management is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Why D is Wrong: DMZ is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Question #5 (Topic: Demo Questions)
Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)
Correct Answer: A, B
Explanation: