Free Practice Questions for Paloalto Networks NGFW-Engineer Exam

Basic Concept: VSYS resource quotas can cap specific rule and object capacities. This prevents one virtual system from exhausting shared configuration capacity.

Why B is Correct: Maximum SSL decryption rules is a valid quota-style limit from the listed options.

Why A is Wrong: Percentage of total CPU utilization mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Why C is Wrong: Maximum number of virtual routers mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Why D is Wrong: Disk space allocation for logs mentions a VSYS, zone, or routing concept, but it does not satisfy the specific external-zone, visibility, or resource-control requirement for this virtual system design.

Basic Concept: Inter-VSYS traffic that remains within the firewall uses external zones as logical source/destination zones for Security policy.

Why A is Correct: External is the correct zone type because the traffic crosses VSYS boundaries without using a physical interface.

Why B is Wrong: TAP is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: Layer 3 is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: Layer 2 is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: SSL/TLS service profiles assign server certificates and TLS settings to firewall-hosted HTTPS services. Authentication Portal and GlobalProtect Gateway are services that present certificates to clients.

Why C and D are Correct: Authentication Portal and GlobalProtect Gateway require SSL/TLS service profiles when replacing default/self-signed certificates with enterprise CA certificates.

Why A is Wrong: User-ID agent redistribution is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why B is Wrong: RADIUS server authentication is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Basic Concept: GlobalProtect pre-logon uses machine identity before user login, while user logon can use SAML/MFA against a cloud IdP.

Why D is Correct: Certificate-based authentication for pre-logon plus SAML for user logon satisfies both endpoint management before login and MFA-protected user authentication.

Why A is Wrong: Cookies can reduce repeated prompts after authentication, but cookie-based authentication does not prove machine identity before user logon or provide cloud IdP MFA for user logon.

Why B is Wrong: SAML is user-centric and requires an interactive identity flow, so it is not appropriate for machine pre-logon before a user session exists.

Why C is Wrong: Kerberos can provide AD-based SSO, but a single Kerberos profile does not meet cloud IdP MFA and machine-certificate pre-logon requirements.

Basic Concept: Log Forwarding profiles specify where logs matching a profile are sent. Common forwarding destinations include Panorama, syslog, email, SNMP/HTTP variants depending on log type and version.

Why A is Correct: Panorama, syslog, and email are valid forwarding methods from the provided choices and represent standard internal and external log delivery destinations.

Why B is Wrong: Syslog, HTTP, NetFlow is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why C is Wrong: Panorama, ADEM, syslog is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Why D is Wrong: SNMP, HTTP, RADIUS is related to management or logging, but it does not provide the required Panorama operation, rule hierarchy behavior, or dual-log forwarding outcome.

Basic Concept: Administrator authentication migrations require careful rollback planning. SAML and RADIUS cannot simply be merged by adding server profiles to one authentication object as if they were the same method.

Why A and C are Correct: Creating a SAML authentication profile and maintaining a transition/rollback plan meets the migration requirement while RADIUS remains available during the staged cutover.

Why B is Wrong: Create an authentication sequence that includes both the “RADIUS” Server Profile and “SAML Identity Provider” Server Profile to run the two services in tandem. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Create and add the “SAML Identity Provider” Server Profile to the authentication profile for the “RADIUS” Server Profile. is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Basic Concept: Policy-based VPN peers require each encryption domain pair to be represented in Proxy ID selectors. Adding a subnet requires adding the matching selector.

Why C is Correct: The most likely cause is that the new local/remote subnet pair is missing from Proxy ID configuration even though route and Security policy are correct.

Why A is Wrong: A static route may be needed for route-based VPN reachability, but the scenario says routing is correct and only the newly added subnet pair fails.

Why B is Wrong: Moving the Security policy would matter if the traffic were matching the wrong rule, but the scenario states that Security policy is already correct.

Why D is Wrong: MTU problems usually affect packet size and fragmentation behavior, not only a newly added policy-based VPN subnet selector.

Basic Concept: Site-to-site VPN policy must allow both negotiation to the firewall endpoint and user/application traffic through the tunnel security zone.

Why A and C are Correct: One rule permits IKE/IPSec to the firewall/local endpoint, and tunnel-zone policies permit application traffic between local and remote zones.

Why B is Wrong: A single bidirectional security rule must be configured to manage traffic flowing through the tunnel interface. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: An Application Override policy is needed to allow both the IKE negotiation and the encapsulated data traffic. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: User- and group-based Security policy requires the firewall to retrieve group membership from a directory. The LDAP server profile defines how PAN-OS connects to that directory source.

Why D is Correct: The LDAP Server profile is required first because group mapping and user/group selection depend on a working LDAP connection to the directory.

Why A is Wrong: User Mapping profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why B is Wrong: Authentication profile is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: Group mapping settings is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.