Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Network Security Administrator NGFW-Engineer Paloalto Networks Study Notes

Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers

Question 33

A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific list of local and remote IP address subnets that are permitted through the tunnel. The initial tunnel configuration on the PAN-OS firewall fails during the IKE Phase 2 exchange.

Which configuration step is essential to ensure compatibility with the policy-based Check Point gateway?

Options:

A.

Define the local and remote subnets provided by the partner in the Proxy ID settings.

B.

Create individual Security policies for each pair of local and remote subnets.

C.

Assign a specific IP address to the tunnel interface to match the Check Point gateway.

D.

Enable Dead Peer Detection (DPD) in the IKE Gateway configuration.

Question 34

Which two zone types are valid when configuring a new security zone? (Choose two.)

Options:

A.

Tunnel

B.

Intrazone

C.

Internal

D.

Virtual Wire

Question 35

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

Options:

A.

X-Forwarded-For (XFF) headers

B.

Server monitoring

C.

GlobalProtect

D.

Authentication Portal

Question 36

A network security engineer wants to create Security policy rules that allow or deny traffic based on a user's department, which corresponds to groups in the company's Active Directory. To achieve this, the firewall needs to retrieve group information from the directory server.

Which configuration object must be created first to establish the connection with the Active Directory server?

Options:

A.

LDAP server profile

B.

User-ID agent service account

C.

Authentication sequence

D.

Kerberos server profile