Summer Certification Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

Free Practice Questions for the Paloalto Networks Network Security Administrator NGFW-Engineer Exam (2026 Updated)

At Marks4sure, we are dedicated to providing IT professionals with the most accurate and reliable preparation materials for the Paloalto Networks NGFW-Engineer exam. To support your certification journey, we have made a selection of our premium 2026 Network Security Administrator practice questions and answers available completely free. You can take this practice test as many times as you need. Every question includes a detailed, expertly verified explanation to ensure you fully grasp the core security concepts before test day.

Questions 4

An engineer is configuring a GlobalProtect portal and wants to enable split tunneling. The requirement is to route DNS queries for "https://www.google.com/search?q=corp.internal.com" to the DNS servers assigned by the VPN, while allowing all other DNS queries to be resolved by the client's locally configured DNS.

What is the effect of configuring this split DNS policy?

Options:

A.

It provides selective DNS resolution, with specified domains resolved through the tunnel, optimizing performance for other lookups.

B.

It blocks access to all domains that are not explicitly listed in the split tunnel configuration.

C.

It forces all applications to use the corporate DNS servers, regardless of the split tunnel settings for IP traffic.

D.

It creates a DNS proxy on the client endpoint that forwards all queries to the firewall for inspection.

Buy Now
Questions 5

An automation engineer is developing a Python script to standardize SD-WAN deployments across multiple customer tenants in Panorama. A key requirement is to programmatically create path quality profiles to monitor link performance based on latency, jitter, and packet loss.

Which API call is required for this task?

Options:

A.

XML API command with an xpath of config/devices/entry/vsys/entry/path-quality-profiles on Panorama

B.

XML API command with an xpath of sdwan/path-quality-profiles on a managed firewall

C.

POST request to the SDWanPathQualityProfiles object endpoint via the REST API on Panorama

D.

POST request to the pathMonitoringProfiles object endpoint via the REST API on a managed firewall

Buy Now

NGFW-Engineer Report Card

Questions 6

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility.

Which approach meets these requirements?

Options:

A.

Install standalone CN-Series instances in each cluster with local configuration only. Export daily policy configuration snapshots to Panorama for recordkeeping, but do not unify policy enforcement.

B.

Configure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies for on-premises cluster security. Synchronize partial policy information into Panorama manually as needed.

C.

Use Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster, ensuring local insertion into the service mesh or CNI. Manage all CN-Series firewalls centrally from Panorama, applying uniform Security policies across on-premises and cloud clusters.

D.

Deploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters, connecting remote clusters via VPN or peering. Manage this single instance through Panorama.

Buy Now
Questions 7

What are two valid zone types that can be selected from the zone configuration menu, per Palo Alto Networks best practices? (Choose two.)

Options:

A.

Layer 3

B.

Layer 2

C.

Management

D.

DMZ

Buy Now
Questions 8

Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)

Options:

A.

It is associated with an interface within a VSYS of a firewall.

B.

It is a security object associated with a specific virtual router of a VSYS.

C.

It is not associated with an interface; it is associated with a VSYS itself.

D.

It is a security object associated with a specific VSYS.

Buy Now
Questions 9

Which networking technology can be configured on Layer 3 interfaces but not on Layer 2 interfaces?

Options:

A.

DDNS

B.

Link Duplex

C.

NetFlow

D.

LLDP

Buy Now
Questions 10

A PA-Series firewall with all licensable features is being installed. The customer’s Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.

Which action meets the requirements in this scenario?

Options:

A.

Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).

B.

Deploy the Next-Generation Firewalls as normal and install the User-ID agent.

C.

Deploy the Advanced URL Filtering license and captive portal.

D.

Deploy the explicit proxy with Kerberos authentication scheme.

Buy Now
Questions 11

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

Options:

A.

License

B.

Plugin

C.

Content update

D.

General setting

Buy Now
Questions 12

An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.

Which additional configuration task is required to resolve this issue?

Options:

A.

Create a transit VSYS and route all inter-VSYS traffic through it.

B.

Add each VSYS to the list of visible virtual systems of the other VSYS.

C.

Enable the “allow inter-VSYS traffic” option in both external zone configurations.

D.

Create Security policies to allow the traffic between the two external zones.

Buy Now
Questions 13

Which two services are configured by applying an SSL/TLS service profile? (Choose two.)

Options:

A.

Global Protect portal

B.

Log forwarding to Strata Logging Service

C.

Forward-Trust certificate

D.

Syslog server monitoring

Buy Now
Questions 14

An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface.

Which two abilities are enabled by this specific configuration step? (Choose two.)

Options:

A.

Configuring tunnel monitoring to verify the liveliness of the connection.

B.

Firewall performing NAT traversal.

C.

Running a dynamic routing protocol like OSPF over the tunnel.

D.

Firewall encrypting and decrypting packet payloads.

Buy Now
Questions 15

An administrator is designing a public key infrastructure (PKI) integration for a large-scale deployment with thousands of users authenticating via client certificates. A key design goal is to ensure that certificate revocation status is checked efficiently with minimal impact on firewall performance and minimal delay for the connecting user.

What is the primary advantage of using the Online Certificate Status Protocol (OCSP) instead of certificate revocation lists (CRLs) in this scenario?

Options:

A.

OCSP allows the firewall to act as its own certificate authority (CA), and it simplifies certificate management.

B.

OCSP provides real-time status for a certificate on demand, is more scalable, and uses less firewall memory.

C.

OCSP is an older, more widely supported protocol than CRLs. ensuring compatibility with all client devices.

D.

OCSP bundles all certificate statuses into a single, digitally signed file for faster downloads by the firewall.

Buy Now
Questions 16

A network administrator is hardening a new Palo Alto Networks firewall and wants to ensure that all firewall-generated management traffic, such as calls to Strata Logging Service, uses a dedicated in-band data port instead of the out-of-band management port.

Which configuration setting should the administrator modify to reroute this type of traffic?

Options:

A.

Service route

B.

Interface Management profile

C.

Virtual router

D.

Static route

Buy Now
Questions 17

Which two actions in the IKE Gateways will allow implementation of post-quantum cryptography when building VPNs between multiple Palo Alto Networks NGFWs? (Choose two.)

Options:

A.

Select IKE v2, enable the Advanced Options PQ PPK, then set a 64+ character string for the post-quantum pre shared key.

B.

Ensure Authentication is set to “certificate,” then import a post-quantum derived certificate.

C.

Select IKE v2 Preferred, enable the Advanced Options PQ KEM, then add one or more “Rounds.”

D.

Select IKE v2, enable the Advanced Options PQ KEM, then create an IKE Crypto Profile with Advanced Options adding one

or more “Rounds.”

Buy Now
Questions 18

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

Options:

A.

X-Forwarded-For (XFF) headers

B.

Server monitoring

C.

GlobalProtect

D.

Authentication Portal

Buy Now
Questions 19

An network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component.

Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status?

Options:

A.

Certificate revocation checking

B.

SSL/TLS service profile

C.

Decryption profile

D.

Forward trust certificate

Buy Now
Questions 20

A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations’ firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.

Which configuration in CIE supports this requirement with highest operational efficiency?

Options:

A.

Configure a CIE tenant, connect Okta, and create segments.

B.

Configure the firewalls for each company to query their respective Okta IdPs directly, bypassing CIE for redistribution.

C.

Push all identity data to Panorama and use Panorama's group mapping include/exclude lists to control what each firewall learns.

D.

Create a master CIE tenant for the holding company and peer it with two subordinate tenants, one for each acquired business.

Buy Now
Questions 21

When an engineer creates a new VSYS on a supported firewall platform, which resource can be explicitly limited in the VSYS configuration to control its capacity?

Options:

A.

Dedicated data plane memory

B.

Maximum number of admin accounts

C.

Maximum number of log entries

D.

Maximum number of NAT rules

Buy Now
Questions 22

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

Options:

A.

NAT tables

B.

User Authentication

C.

GlobalProtect Gateways

D.

GlobalProtect Portal

Buy Now
Questions 23

Which statement applies to Log Collector Groups?

Options:

A.

Log redundancy is available only if each Log Collector has the same amount of total disk storage.

B.

Enabling redundancy increases the log processing traffic in a Collector Group by 50%.

C.

In any single Collector Group, all the Log Collectors must run on the same Panorama model.

D.

The maximum number of Log Collectors in a Log Collector Group is 18 plus two hot spares.

Buy Now
Questions 24

An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console without using the Context Switch feature.

Which set of tasks can the administrator fully execute from the Panorama UI?

Options:

A.

Edit a post-rule.

Create a new certificate profile.

Configure the firewall's hostname.

B.

Download and install a new content update.

View current firewall session details.

Initiate a device reboot.

C.

Create a new zone.

Configure a new virtual router.

View the local ACC on the firewall.

D.

Modify the IP address of a Layer 3 interface.

Configure a new local administrator account.

Edit a pre-rule.

Buy Now
Questions 25

A security administrator is hardening the ingress zone of an NGFW. The goal is to prevent attacks that rely on malformed IP address packets with incorrect header lengths or invalid TCP packets that have both the SYN and FIN flags set.

Within which section of a Zone Protection profile should these protections be configured?

Options:

A.

Protocol Protection

B.

Packet-Based Attack Protection

C.

Reconnaissance Protection

D.

Flood Protection

Buy Now
Questions 26

An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all interfaces must be assigned to the same VLAN. During initial testing, it is reported that clients located behind the various interfaces cannot communicate with each other.

Which action taken by the engineer will resolve this issue?

Options:

A.

Configure each interface to belong to the same Layer 2 zone and enable IP routing between them.

B.

Assign each interface to the appropriate Layer 2 zone and configure a policy that allows traffic within the VLAN.

C.

Assign each interface to the appropriate Layer 2 zone and configure Security policies for interfaces not assigned to the same

zone.

D.

Enable IP routing between the interfaces and configure a Security policy to allow traffic between interfaces within the VLAN.

Buy Now
Questions 27

Which two Palo Alto Networks firewall services are secured by attaching an SSL/TLS service profile to their configuration? (Choose two.)

Options:

A.

Authentication portal

B.

GlobalProtect portal

C.

LDAP server profiles

D.

Prisma Access service connections

Buy Now
Questions 28

An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.

What is the recommended method to achieve this goal?

Options:

A.

Deploy multiple, independent VM-Series firewalls in different Availability Zones and use an Azure Load Balancer to distribute traffic to them.

B.

Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails.

C.

Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target.

D.

Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection.

Buy Now
Questions 29

By default, which type of traffic is configured by service route configuration to use the management interface?

Options:

A.

Security zone

B.

IPSec tunnel

C.

Virtual system (VSYS)

D.

Autonomous Digital Experience Manager (ADEM)

Buy Now
Questions 30

What is a result of enabling split tunneling in the GlobalProtect portal configuration with the “Both Network Traffic and DNS” option?

Options:

A.

It specifies when the secondary DNS server is used for resolution to allow access to specific domains that are not managed by the VPN.

B.

It allows users to access internal resources when connected locally and external resources when connected remotely using the same FQDN.

C.

It allows devices on a local network to access blocked websites by changing which DNS server resolves certain domain names.

D.

It specifies which domains are resolved by the VPN-assigned DNS servers and which domains are resolved by the local DNS servers.

Buy Now
Questions 31

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

Options:

A.

They must be configured with auto-negotiate settings regardless of the port type.

B.

They must all be either copper or fiber optic, however they can be different.

C.

They must have the same link speed and transmission mode.

D.

They must be the same media type.

Buy Now
Questions 32

What is a valid configurable limit for setting resource quotas when defining a new VSYS on a Palo Alto Networks firewall?

Options:

A.

Percentage of total CPU utilization

B.

Maximum number of SSL decryption rules

C.

Maximum number of virtual routers

D.

Disk space allocation for logs

Buy Now
Questions 33

When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

Options:

A.

Flood Protection

B.

Protocol Protection

C.

Packet-Based Attack Protection

D.

Reconnaissance Protection

Buy Now
Questions 34

Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?

Options:

A.

CPU

B.

Sessions limit

C.

Memory

D.

Security profile limit

Buy Now
Questions 35

An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites.

What is the most likely cause of these widespread certificate errors?

Options:

A.

The decryption policy is configured with a "no-decrypt" action, which causes browsers to reject the connection.

B.

The external websites are using TLS 1.3, which cannot be decrypted by the firewall without a specific license.

C.

The firewall's forward untrust certificate has expired, preventing it from identifying untrusted sites.

D.

The firewall's self-signed CA certificate is not deployed to the trusted certificate store on client endpoints.

Buy Now
Questions 36

In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

Options:

A.

To forward packets to the HA peer during session setup and asymmetric traffic flow

B.

To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information

C.

To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair

D.

To perform session cache synchronization among all HA peers having the same cluster ID

Buy Now
Questions 37

In a hybrid cloud deployment, what is the primary function of Ansible in managing Palo Alto Networks NGFWs?

Options:

A.

It provides a web interface for managing NGFW hardware clusters.

B.

It enables centralized log collection and correlation for NGFWs.

C.

It facilitates dynamic updates to NGFW threat databases.

D.

It automates NGFW policy updates and configurations through playbooks.

Buy Now
Exam Code: NGFW-Engineer
Exam Name: Palo Alto Networks Next-Generation Firewall Engineer
Last Update: Jul 3, 2026
Questions: 125

PDF + Testing Engine

$64.99   $185.69

Testing Engine

$49.99   $142.83

PDF (Q&A)

$54.99   $157.11