Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free Access Paloalto Networks NGFW-Engineer New Release

Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers

Question 13

A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements.

Which approach achieves this segmentation of identity data?

Options:

A.

Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.

B.

Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit.

C.

Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).

D.

Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Question 14

An administrator is configuring dynamic updates on a Palo Alto Networks firewall that protects a hospital's patient record system. The primary concern is ensuring maximum stability and avoiding any service disruption from a potentially problematic content update.

To align with Palo Alto Networks best practices for such environments, which threshold should the administrator set for content updates?

Options:

A.

0 hours

B.

12 hours

C.

24 hours

D.

48 hours

Question 15

A network engineer observes that after a primary link recovers, the firewall immediately switches traffic back from the backup static route to the primary static route. The engineer checks the path monitoring configuration for the primary route.

Which value is configured for the preemptive hold time to cause this behavior?

Options:

A.

Lowest possible value greater than 0

B.

0

C.

Default value

D.

Feature disabled

Question 16

An engineer is required to configure a site-to-site VPN that will automatically fail over to a backup link if the primary tunnel goes down. The engineer also needs to exchange routes dynamically between the sites.

Which two features necessitate assigning an IP address to the tunnel interface? (Choose two.)

Options:

A.

Tunnel monitoring

B.

Proxy ID configuration

C.

IKEv2 protocol support

D.

Dynamic routing