Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Pass NGFW-Engineer Exam Guide

Palo Alto Networks Next-Generation Firewall Engineer Questions and Answers

Question 17

When deploying Palo Alto Networks NGFWs in a cloud service provider (CSP) environment, which method ensures high availability (HA) across multiple availability zones?

Options:

A.

Deploying Ansible scripts for zone-specific scaling

B.

Implementing Terraform templates for redundancy within one availability zone

C.

Using load balancer and health probes

D.

Configuring active/active HA

Question 18

What is the requirement for interface link speeds when configuring a virtual wire on a Palo Alto Networks firewall?

Options:

A.

They must be configured with auto-negotiate settings regardless of the port type.

B.

They must all be either copper or fiber optic, however they can be different.

C.

They must have the same link speed and transmission mode.

D.

They must be the same media type.

Question 19

A DevOps team is building a repeatable process for deploying new Palo Alto Networks VM-Series firewalls. The entire infrastructure, including virtual networks, subnets, and the firewalls themselves, must be defined in code to ensure consistency and enable version control.

Which tool is primarily used for this type of declarative Infrastructure as Code (IaC) provisioning?

Options:

A.

Terraform

B.

Azure DevOps

C.

Ansible

D.

Panorama

Question 20

An engineer is configuring a site-to-site IPSec VPN to a partner network. The IKE Gateway and IPSec tunnel configurations are complete, and the tunnel interface has been assigned to a security zone. However, the tunnel fails to establish, and no application traffic passes through it once it is up.

Which two Security policy configurations are required to allow tunnel establishment and data traffic flow in this scenario? (Choose two.)

Options:

A.

A security rule is needed to allow IKE and IPSec traffic between the zone where the physical interface resides and the zone of the partner gateway.

B.

A single bidirectional security rule must be configured to manage traffic flowing through the tunnel interface.

C.

Security rules must be configured to permit application traffic from the local zone to the tunnel zone, and from the tunnel zone to the local zone.

D.

An Application Override policy is needed to allow both the IKE negotiation and the encapsulated data traffic.