C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

Palo Alto Networks NGFW-Engineer - Next-Generation Firewall Engineer Certification Exam

Download Exam View Entire Exam
Page: 1 / 2
Question #1 (Topic: Demo Questions)

An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.
What is the effect of configuring this split DNS policy?

A.

It provides selective DNS resolution, with specified domains resolved through the tunnel, optimizing performance for other lookups.

B.
It blocks access to all domains that are not explicitly listed in the split tunnel configuration.
C.
It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic.
D.
It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection.
Correct Answer: A
Explanation:
Basic Concept: Split DNS lets GlobalProtect resolve selected domains through VPN DNS while leaving other names to local DNS. This improves performance without breaking internal name resolution.
Why A is Correct: The policy selectively resolves listed corporate domains through the tunnel and leaves all other lookups local.
Why B is Wrong: It blocks access to all domains that are not explicitly listed in the split tunnel configuration. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why C is Wrong: It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why D is Wrong: It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Question #2 (Topic: Demo Questions)

By default, which type of traffic is configured by service route configuration to use the management interface?

A.
Security zone 
B.
IPSec tunnel
C.
Virtual system (VSYS)
D.
Autonomous Digital Experience Manager (ADEM)
Correct Answer: D
Explanation:
By default, the Autonomous Digital Experience Manager (ADEM) traffic is configured to use the management interface in a Palo Alto Networks firewall. The management interface is typically used for management-related traffic, such as monitoring and logging, and it is configured to handle ADEM-related traffic for the optimal performance of digital experience monitoring features. This default configuration helps ensure that ADEM traffic does not interfere with regular traffic that may traverse other interfaces, such as traffic from security zones or IPSec tunnels. 
Question #3 (Topic: Demo Questions)

An automation engineer is developing a Python script to standardize SD-WAN deployments across multiple customer tenants in Panorama. A key requirement is to programmatically create path quality profiles to monitor link performance based on latency, jitter, and packet loss.
Which API call is required for this task?

A.
XML API command with an xpath of config/devices/entry/vsys/entry/path-quality-profiles on Panorama
B.
XML API command with an xpath of sdwan/path-quality-profiles on a managed firewall
C.
POST request to the SDWanPathQualityProfiles object endpoint via the REST API on Panorama
D.
POST request to the path Monitoring Profiles object endpoint via the REST API on a managed firewall
Correct Answer: C
Explanation:
Basic Concept: SD-WAN path quality profiles measure latency, jitter, and packet loss. Panorama REST API endpoints support programmatic profile creation for managed deployments.
Why C is Correct: The SDWanPathQualityProfiles REST object on Panorama is the correct API target for creating path quality profiles centrally.
Why A is Wrong: XML API command with an xpath of config/devices/entry/vsys/entry/path-quality-profiles on Panorama is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.
Why B is Wrong: XML API command with an xpath of sdwan/path-quality-profiles on a managed firewall is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.
Why D is Wrong: POST request to the pathMonitoringProfiles object endpoint via the REST API on a managed firewall is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.
Question #4 (Topic: Demo Questions)

What are two valid zone types that can be selected from the zone configuration menu, per Palo Alto Networks best practices? (Choose two.)

A.
Layer 3
B.
Layer 2
C.
Management
D.
DMZ
Correct Answer: A, B
Explanation:
Basic Concept: Zone type is the PAN-OS category that matches interface mode. Valid selectable zone types include Layer 2 and Layer 3, among others.
Why A and B are Correct: Layer 3 and Layer 2 are valid zone types; Management and DMZ are not PAN-OS zone types, although DMZ is often used as a zone name.
Why C is Wrong: Management is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Why D is Wrong: DMZ is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Question #5 (Topic: Demo Questions)

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

A.
For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.
B.
The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.
C.
 For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.
D.
The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.
Next Question
Correct Answer: A, B
Explanation:
In the Palo Alto Networks architecture, establishing a site-to-site VPN requires a clear understanding of how the Security Policy engine interacts with different traffic flows. According to technical documentation (Step 7 of the IPSec configuration guide), there are two distinct categories of traffic to consider: the Control Plane (negotiation) and the Data Plane (transit). First, the IKE negotiation (UDP 500/4500) and IPSec/ESP packets are directed at the firewall’s own external interface. Because the peer gateway is usually reachable through the same zone as that interface (e.g., 'Untrust'), the traffic is processed as intrazone. By default, PAN-OS includes an intrazone-default security policy set to 'Allow'. Consequently, the tunnel can technically establish without an explicit rule, provided no manual 'Deny All' rule precedes it. This confirms that negotiation is allowed by default via the intrazone policy. Second, regarding the data traffic entering or exiting the tunnel interface, the firewall applies standard zone-based inspection. While the firewall is stateful and policies are unidirectional, the documentation specifies that creating separate rules for each direction (one for inbound and one for outbound) is optional. An administrator can choose to create two granular rules for tighter control or combine both directions into a single rule by adding both the internal and tunnel zones to the source and destination fields. This flexibility allows for a more streamlined rule base while still meeting security requirements.