C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

Palo Alto Networks NGFW-Engineer - Next-Generation Firewall Engineer Certification Exam

Download Exam View Entire Exam
Page: 2 / 2
Question #6 (Topic: Demo Questions)

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

A.
License
B.
Plugin
C.
Content update
D.
General setting
Correct Answer: D
Explanation:
Basic Concept: Before logical routers can be configured, PAN-OS must be switched from the legacy virtual router model to the Advanced Routing Engine through the firewall's general routing setting.
Why D is Correct: The General setting is correct because enabling advanced routing is the prerequisite that exposes logical router configuration; it is not activated by a license, plugin, or content package.
Why A is Wrong: Advanced Routing Engine is not enabled by adding a license alone. Licensing may affect platform features, but logical routers require the routing engine setting.
Why B is Wrong: Plugins extend integrations such as SD-WAN, but they do not enable the base Advanced Routing Engine.
Why C is Wrong: Content updates deliver application, threat, and signature data. They do not activate logical router support.
Question #7 (Topic: Demo Questions)

An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface.
Which two abilities are enabled by this specific configuration step? (Choose two.)

A.
Configuring tunnel monitoring to verify the liveliness of the connection.
B.
Firewall performing NAT traversal.
C.
Running a dynamic routing protocol like OSPF over the tunnel.
D.
Firewall encrypting and decrypting packet payloads.
Correct Answer: A, C
Explanation:
Basic Concept: A tunnel interface IP address enables Layer 3 functions that require the firewall to source or receive traffic over the tunnel itself.
Why A and C are Correct: Tunnel monitoring and dynamic routing require an IP address on the tunnel interface; encryption and NAT traversal do not depend on that address.
Why B is Wrong: Firewall performing NAT traversal. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why D is Wrong: Firewall encrypting and decrypting packet payloads. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Question #8 (Topic: Demo Questions)

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

A.
X-Forwarded-For (XFF) headers
B.
Server monitoring
C.
GlobalProtect
D.
Authentication Portal
Correct Answer: D
Explanation:
Basic Concept: Authentication Portal creates User-ID mappings from a direct user authentication event on the firewall, making it more explicit than mappings inferred from server logs.
Why D is Correct: Authentication Portal is correct because the firewall itself validates the user and records the source IP mapping.
Why A is Wrong: X-Forwarded-For (XFF) headers is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Why B is Wrong: Server monitoring is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Why C is Wrong: Global Protect is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Download Exam
« Prev Page: 2 / 2
Next Page