Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

NGFW-Engineer Exam Dumps - Paloalto Networks Network Security Administrator Questions and Answers

Question # 24

A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.

Which configuration in CIE supports this requirement with highest operational efficiency?

Options:

A.

Configure a CIE tenant, connect Okta, and create segments.

B.

Configure the firewalls for each company to query their respective Okta IdPs directly, bypassing CIE for redistribution.

C.

Push all identity data to Panorama and use Panorama's group mapping include/exclude lists to control what each firewall learns.

D.

Create a master CIE tenant for the holding company and peer it with two subordinate tenants, one for each acquired business.

Buy Now
Question # 25

When multiple routes have the same destination prefix, which attribute does the firewall use first to determine route preference?

Options:

A.

Administrative distance

B.

Route metric

C.

Next-hop availability

D.

Longest prefix match

Buy Now
Question # 26

An organization's Security policy states that for all outbound web traffic, the TCP session to the external web server must be established by the firewall, not the user's workstation. This requires configuring user web browsers to point to the firewall. Authentication is also required.

Which solution on a PA-Series firewall meets these specific needs?

Options:

A.

Transparent proxy

B.

Explicit proxy

C.

GlobalProtect with User-ID

D.

Decryption policy with Authentication Portal

Buy Now
Question # 27

A cloud security team wants to extend its existing Palo Alto Networks Security policies into the organization's Kubernetes environments. The team requires an NGFW solution that can be deployed natively as a container and managed by Panorama.

Which firewall form factor meets these requirements?

Options:

A.

Cloud NGFW

B.

PA-5400 Series

C.

VM-Series

D.

CN-Series

Buy Now
Question # 28

A firewall administrator uses Panorama to manage a fleet of firewalls. After successfully onboarding the firewalls to Strata Logging Service and enabling cloud logging via a template, the security operations team reports that they can no longer see new logs on the on-premises Panorama log collectors. Logs are appearing correctly in Strata Logging Service.

Which setting was likely missed in the Panorama template configuration?

Options:

A.

The device certificates for the Panorama log collectors were not renewed after enabling the cloud logging connection.

B.

Duplicate logging (cloud and on-premises) is disabled under Device -- > Setup -- > Management.

C.

The Log Forwarding profile was modified to send logs only to the Strata Logging Service and no longer includes the on-premises Panorama log collectors.

D.

The Panorama log collectors were not defined as primary destinations within the collector group configuration for the managed firewalls.

Buy Now
Question # 29

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

Options:

A.

For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

B.

The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

C.

For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

D.

The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Buy Now
Question # 30

An organization is migrating its GlobalProtect user authentication from an existing LDAP directory to a new Kerberos server. To ensure a smooth transition, the network security team needs to allow users from both directories to authenticate for a period of 90 days. The firewall should first attempt authentication against the new Kerberos server and then fall back to the legacy LDAP server if the initial attempt fails.

Which two configurations are required to implement this authentication fallback strategy? (Choose two.)

Options:

A.

Configure a new RADIUS proxy on the firewall to handle authentication requests for both Kerberos and LDAP.

B.

Implement a User-ID Group Mapping policy to link users between the LDAP and Kerberos directories.

C.

Configure an authentication sequence that lists the Kerberos authentication profile first, followed by the LDAP authentication profile.

D.

Configure a new authentication profile that references the Kerberos server profile.

Buy Now
Question # 31

A security administrator is creating a new custom report to get a consolidated view of network events and needs to select a database to query for the report data.

Which valid set of databases is available for the task?

Options:

A.

Threat, URL Filtering, WildFire Submissions, GlobalProtect

B.

Traffic, User-ID, Application Statistics, HIP Match

C.

Data Filtering, IP-Tag, User-ID, Endpoint Security

D.

System, Config, Authentication, Session Flow

Buy Now
Question # 32

An administrator configures a GlobalProtect gateway with split tunneling for network traffic based on an access route. Users report that public web browsing works, but they cannot resolve the names of internal servers. The administrator determines that all DNS queries are being sent to the public DNS servers configured on the users' endpoints.

Which GlobalProtect portal setting should be configured to resolve this issue?

Options:

A.

Split tunneling for DNS and specify the internal corporate domains in the "Domain" list

B.

DNS Proxy feature on the firewall to point clients to the gateway IP for DNS

C.

"DNS Forwarding" option on the gateway's tunnel interface

D.

NAT rule to allow DNS traffic from the GlobalProtect clients to the internal DNS servers

Buy Now
Question # 33

According to dynamic updates best practices, what is the recommended threshold value for content updates in a mission- critical network?

Options:

A.

8 hours

B.

16 hours

C.

32 hours

D.

48 hours

Buy Now
Exam Code: NGFW-Engineer
Exam Name: Palo Alto Networks Next-Generation Firewall Engineer
Last Update: Jul 6, 2026
Questions: 125
NGFW-Engineer pdf

NGFW-Engineer PDF

$25.5  $84.99
NGFW-Engineer Engine

NGFW-Engineer Testing Engine

$28.5  $94.99
NGFW-Engineer PDF + Engine

NGFW-Engineer PDF + Testing Engine

$40.5  $134.99