NGFW1

To maintain security efficacy of its public cloud resources by using native tools, a company purchases Cloud NGFW credits to replicate the Panorama, PA-Series, and VM-Series devices used in physical data centers. Resources exist on AWS and Azure: The AWS deployment is architected with AWS Transit Gateway, to which all resources connect The Azure deployment is architected with each application independently routing traffic The engineer deploying Cloud NGFW in these two cloud environments must account for the following: Minimize changes to the two cloud environments Scale to the demands of the applications while using the least amount of compute resources Allow the company to unify the Security policies across all protected areas Which two implementations will meet these requirements? (Choose two.). Deploy a VM-Series firewall in AWS in each VPC, create an IPSec tunnel between AWS and Azure, and manage the policy with Panorama. Deploy Cloud NGFW for Azure in vNET/s, update the vNET/s routing to path traffic through the deployed NGFWs, and manage the policy with Panorama. Deploy Cloud NGFW for Azure in vWAN, create a vWAN to route all appropriate traffic to the Cloud NGFW attached to the vWAN, and manage the policy with local rules. Deploy Cloud NGFW for AWS in a centralized Security VPC, update the Transit Gateway to route all appropriate traffic through the Security VPC, and manage the policy with Panorama.

During an upgrade to the routing infrastructure in a customer environment, the network administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall. Which firewall models support this configuration?. PA-5280, PA-7080, PA-3250, VM-Series. PA-455, VM-Series, PA-1410, PA-5450. PA-3260, PA-5410, PA-850, PA-460. PA-7050, PA-1420, VM-Series, CN-Series.

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.). For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional. The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy. For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction. The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?. It acts as a logging service for NGFW performance metrics. It orchestrates real-time traffic inspection for network segments. It provides Infrastructure-as-Code (IaC) to automate NGFW deployment. It manages threat intelligence data synchronization with NGFWs.

By default, which type of traffic is configured by service route configuration to use the management interface?. Security zone. IPSec tunnel. Virtual system (VSYS). Autonomous Digital Experience Manager (ADEM).

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?. License. Plugin. Content update. General setting.

Which two zone types are valid when configuring a new security zone? (Choose two.). Tunnel. Intrazone. Internal. Virtual Wire.

An organization has configured GlobalProtect in a hybrid authentication model using both certificate-based authentication for the pre-logon stage and SAML-based multi-factor authentication (MFA) for user logon. How does the GlobalProtect agent process the authentication flow on Windows endpoints?. The GlobalProtect agent uses the machine certificate to establish a pre-logon tunnel; upon user sign-in, it prompts for SAML-based MFA credentials, ensuring both device and user identities are validated before granting full access. The GlobalProtect agent uses the machine certificate during pre-logon for initial tunnel establishment, and then seamlessly reuses the same machine certificate for user-based authentication without requiring MFA. Once the machine certificate is validated at pre-logon, the Windows endpoint completes MFA on behalf of the user by passing existing Windows Credential Provider details to the GlobalProtect gateway without prompting the user. GlobalProtect requires the user to log in first for SAML-based MFA before establishing the pre-logon tunnel, rendering the pre-logon certificate authentication (CA) flow redundant.

An NGFW engineer is configuring multiple Panorama-managed firewalls to start sending all logs to Strata Logging Service. The Strata Logging Service instance has been provisioned, the required device certificates have been installed, and Panorama and the firewalls have been successfully onboarded to Strata Logging Service. Which configuration task must be performed to start sending the logs to Strata Logging Service and continue forwarding them to the Panorama log collectors as well?. Modify all active Log Forwarding profiles to select the “Cloud Logging” option in each profile match list in the appropriate device groups. Enable the “Panorama/Cloud Logging” option in the Logging and Reporting Settings section under Device --> Setup --> Management in the appropriate templates. Select the “Enable Duplicate Logging” option in the Cloud Logging section under Device --> Setup --> Management in the appropriate templates. Select the “Enable Cloud Logging” option in the Cloud Logging section under Device --> Setup --> Management in the appropriate templates.

An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all interfaces must be assigned to the same VLAN. During initial testing, it is reported that clients located behind the various interfaces cannot communicate with each other. Which action taken by the engineer will resolve this issue?. Configure each interface to belong to the same Layer 2 zone and enable IP routing between them. Assign each interface to the appropriate Layer 2 zone and configure a policy that allows traffic within the VLAN. Assign each interface to the appropriate Layer 2 zone and configure Security policies for interfaces not assigned to the same zone. Enable IP routing between the interfaces and configure a Security policy to allow traffic between interfaces within the VLAN.

In a Palo Alto Networks environment, GlobalProtect has been enabled using certificate-based authentication for both users and devices. To ensure proper validation of certificates, one or more certificate profiles are configured. What function do certificate profiles serve in this context?. They store private keys for users and devices, effectively allowing the firewall to issue or reissue certificates if the primary Certificate Authority (CA) becomes unavailable, providing a built-in fallback CA to maintain continuous certificate issuance and authentication. They define trust anchors (root / intermediate Certificate Authorities (CAs)), specify revocation checks (CRL/OCSP), and map certificate attributes (e.g., CN) for user or device authentication. They allow the firewall to bypass certificate validation entirely, focusing only on username / password-based authentication. They provide a one-click mechanism to distribute certificates to all endpoints without relying on external enrollment methods.

How does a Palo Alto Networks NGFW respond when the preemptive hold time is set to 0 minutes during configuration of route monitoring?. It does not accept the configuration. It accepts the configuration but throws a warning message. It removes the static route because 0 is a NULL value. It reinstalls the route into the routing information base (RIB) as soon as the path comes up.

After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish. Which of the following actions will resolve this issue?. Ensure that an active static or dynamic route exists for the VPN peer with next hop as the tunnel interface. Configure the Proxy IDs to match the Cisco ASA configuration. Check that IPSec is enabled in the management profile on the external interface. Validate the tunnel interface VLAN against the peer’s configuration.

Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE) interface on a Palo Alto Networks high availability (HA) active/passive pair?. Set Transmission Rate to “fast.”. Set passive link state to “Auto.”. Set “Enable in HA Passive State.”. Set LACP mode to “Active.”.

When integrating Kubernetes with Palo Alto Networks NGFWs, what is used to secure traffic between microservices?. Service graph. Ansible automation modules. Panorama role-based access control (RBAC). CN-Series firewalls.

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?. Flood Protection. Protocol Protection. Packet-Based Attack Protection. Reconnaissance Protection.

For which two purposes is an IP address configured on a tunnel interface? (Choose two.). Use of dynamic routing protocols. Tunnel monitoring. Use of peer IP. Redistribution of User-ID.

Which PAN-OS method of mapping users to IP addresses is the most reliable?. Port mapping. GlobalProtect. Syslog. Server monitoring.

In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?. To forward packets to the HA peer during session setup and asymmetric traffic flow. To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information. To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair. To perform session cache synchronization among all HA peers having the same cluster ID.

A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions. Which action meets the requirements in this scenario?. Deploy the transparent proxy with Web Cache Communications Protocol (WCCP). Deploy the Next-Generation Firewalls as normal and install the User-ID agent. Deploy the Advanced URL Filtering license and captive portal. Deploy the explicit proxy with Kerberos authentication scheme.

What must be configured before a firewall administrator can define policy rules based on users and groups?. User Mapping profile. Authentication profile. Group mapping settings. LDAP Server profile.

Which statement applies to the relationship between Panorama-pushed Security policy and local firewall Security policy?. Which statement applies to the relationship between Panorama-pushed Security policy and local firewall Security policy?. Local firewall rules are evaluated after Panorama pre-rules and before Panorama post-rules. Panorama post-rules can be configured to be evaluated before local firewall policy for the purpose of troubleshooting. The order of policy evaluation can be configured differently in different device groups.

Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?. DDNS. Link Duplex. NetFlow. LLDP.

What is a result of enabling split tunneling in the GlobalProtect portal configuration with the “Both Network Traffic and DNS” option?. It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN. It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN. It allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names. It specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.

According to dynamic updates best practices, what is the recommended threshold value for content updates in a mission- critical network?. 8 hours. 16 hours. 32 hours. 48 hours.

Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?. CPU. Sessions limit. Memory. Security profile limit.

Which forwarding methods can be used on the Objects tab when configuring the Log Forwarding profile?. Panorama, syslog, email. Syslog, HTTP, NetFlow. Panorama, ADEM, syslog. SNMP, HTTP, RADIUS.

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?. It provides a web interface for managing NGFW hardware clusters. It enables centralized log collection and correlation for NGFWs. It facilitates dynamic updates to NGFW threat databases. It automates NGFW policy updates and configurations through playbooks.

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.). NAT tables. User Authentication. GlobalProtect Gateways. GlobalProtect Portal.

How does a Palo Alto Networks firewall choose the best route when it receives routes for the same destination from different routing protocols?. The route that was received first will be entered into the forwarding table, and all subsequent routes will be rejected. It will attempt to load balance the traffic across all routes. It compares the administrative distance and chooses the one with the highest value. It compares the administrative distance and chooses the one with the lowest value.

A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hierarchy as the primary certificate authority (CA). The enterprise also requires Online Certificate Status Protocol (OCSP) checks to ensure efficient revocation status updates and reduce the overhead on its NGFWs. The environment includes multiple Active Directory forests, Panorama management for several geographically dispersed firewalls, GlobalProtect portals and gateways needing distinct certificate profiles for users and devices, and strict Security policies demanding frequent revocation checks with minimal latency. Which approach best addresses these requirements while maintaining consistent policy enforcement?. Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CTurn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices. Distribute the root and intermediate CA certificates via Panorama as shared objects to ensure all firewalls have a consistent trust chain. Configure OCSP responder profiles on each firewall to offload revocation checks to an internal OCSP server while keeping CRL checks as a fallback. Maintain separate certificate profiles for user and device authentication and use an automated enrollment method – such as Group Policy or SCEP – to deploy certificates to endpoints. Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall’s local certificate store for authentication. Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency.

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility. Which approach meets these requirements?. Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement. Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed. Use Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster, ensuring local insertion into the service mesh or CNI. Manage all CN-Series firewalls centrally from Panorama, applying uniform Security policies across on-premises and cloud clusters. Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama.

When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?. Deploying Ansible scripts for zone-specific scaling. Implementing Terraform templates for redundancy within one availability zone. Using load balancer and health probes. Configuring active/active HA.

An engineer at a managed services provider is updating an application that allows its customers to request firewall changes to also manage SD-WAN. The application will be able to make any approved changes directly to devices via API. What is a requirement for the application to create SD-WAN interfaces?. REST API’s “sdwanInterfaceprofiles” parameter on a Panorama device. REST API’s “sdwanInterfaces” parameter on a firewall device. XML API’s “sdwanprofiles/interfaces” parameter on a Panorama device. XML API’s “InterfaceProfiles/sdwan” parameter on a firewall device.

Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.). Select IKE v2, enable the Advanced Options  PQ PPK, then set a 64+ character string for the post-quantum pre shared key. Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate. Select IKE v2 Preferred, enable the Advanced Options  PQ KEM, then add one or more “Rounds.”. Select IKE v2, enable the Advanced Options  PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one or more “Rounds.”.

An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction. Which additional configuration task is required to resolve this issue?. Create a transit VSYS and route all inter-VSYS traffic through it. Add each VSYS to the list of visible virtual systems of the other VSYS. Enable the “allow inter-VSYS traffic” option in both external zone configurations. Create Security policies to allow the traffic between the two external zones.

Without performing a context switch, which set of operations can be performed that will affect the operation of a connected firewall on the Panorama GUI?. Restarting the local firewall, running a packet capture, accessing the firewall CLI. Modification of local security rules, modification of a Layer 3 interface, modification of the firewall device hostname. Modification of pre-security rules, modification of a virtual router, modification of an IKE Gateway Network Profile. Modification of post NAT rules, creation of new views on the local firewall ACC tab, creation of local custom reports.

Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?. Traffic, User-ID, URL. Traffic, threat, data filtering, User-ID. GlobalProtect, traffic, application statistics. Threat, GlobalProtect, application statistics, WildFire submissions.

An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized. What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?. Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall. Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active. Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested. Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.

Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.). It is associated with an interface within a VSYS of a firewall. It is a security object associated with a specific virtual router of a VSYS. It is not associated with an interface; it is associated with a VSYS itself. It is a security object associated with a specific VSYS.

Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?. Isolated. Transient. External. Internal.

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements. Which approach achieves this segmentation of identity data?. Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information. Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit. Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs). Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

An engineer is implementing a new rollout of SAML for administrator authentication across a company’s Palo Alto Networks NGFWs. User authentication on company firewalls is currently performed with RADIUS, which will remain available for six months, until it is decommissioned. The company wants both authentication types to be running in parallel during the transition to SAML. Which two actions meet the criteria? (Choose two.). Create a testing and rollback plan for the transition from Radius to SAML, as the two authentication profiles cannot be run in tandem. Create an authentication sequence that includes both the “RADIUS” Server Profile and “SAML Identity Provider” Server Profile to run the two services in tandem. Create and apply an authentication profile with the “SAML Identity Provider” Server Profile. Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile.

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy. Which approach ensures continuous, secure connectivity and consistent policy enforcement?. Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall. Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy. Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity. Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

Which statement applies to Log Collector Groups?. Log redundancy is available only if each Log Collector has the same amount of total disk storage. Enabling redundancy increases the log processing traffic in a Collector Group by 50%. In any single Collector Group, all the Log Collectors must run on the same Panorama model. The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares.

Which interface types should be used to configure link monitoring for a high availability (HA) deployment on a Palo Alto Networks NGFW?. HA, Virtual Wire, and Layer 2. Tap, Virtual Wire, and Layer 3. Virtual Wire, Layer 2, and Layer 3. HA, Layer 2, and Layer 3.

Which CLI command is used to configure the management interface as a DHCP client?. set network dhcp interface management. set network dhcp type management-interface. set device config system type dhcp-client. set deviceconfig management type dhcp-client.

Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?. Import the new subordinate CA certificate into the trust stores of all client devices. Set the subordinate CA certificate as the default routing certificate for all network traffic. Configure the subordinate CA to issue certificates with indefinite validity periods. Disable all existing SSL decryption rules until the new certificate is fully propagated.

What are the phases of the Palo Alto Networks AI Runtime Security: Network Intercept solution?. Scanning, Isolation, Whitelisting, Logging. Discovery, Deployment, Detection, Prevention. Policy Generation, Discovery, Enforcement, Logging. Profiling, Policy Generation, Enforcement, Reporting.

What is the purpose of assigning an Admin Role Profile to a user in a Palo Alto Networks NGFW?. Allow access to all resources without restrictions. Enable multi-factor authentication (MFA) for administrator access. Define granular permissions for management tasks. Restrict access to sensitive report data.