Online Access Free NGFW-Engineer Practice Test

Which type of firewall resource can be assigned when configuring a new firewall virtual system (VSYS)?

• A.CPU
• B.Memory
• C.Sessions limit
• D.Security profile limit

An organization must secure its AWS and Azure environments using a managed Palo Alto Networks solution, and all policies must be synchronized from an existing Panorama deployment. The organization wants to insert security with the least possible impact on its application teams and use existing hub-and-spoke network designs.
* The AWS environment uses a centralized AWS Transit Gateway (TGW) architecture.
* The Azure environment uses a Virtual WAN (vWAN) hub.
Which two actions are the most appropriate in this use case? (Choose two.)

• A.Deploy Cloud NGFW endpoints in every application virtual private cloud (VPC), ignoring the TGW.
• B.Deploy individual VM-Series firewalls in each spoke virtual network (VNet) and manage them as a device group in Panorama.
• C.Deploy Cloud NGFW endpoints into a security virtual private cloud (VPC), and adjust the TGW route tables to inspect traffic flowing though the hub.
• D.Deploy Cloud NGFW into the vWAN hub as a trusted security partner, and update routing policies to secure traffic.

A large organization has separate production and development environments, each with its own set of firewalls managed by Panorama. The organization uses Cloud Identity Engine (CIE) to consolidate user identities from Active Directory (AD) and Okta.
A security mandate requires that development firewalls must only learn about "DEV" and "QA" user groups, while production firewalls should only see "Prod" user groups.
How can an administrator enforce this separation using CIE with minimal complexity?

• A.Redistribute all user and group information to all firewalls and use Panorama Device Group hierarchy to apply different Group Mapping profiles.
• B.Create two segments, one with only "DEV" and "QA" groups, and one with "Prod" groups Redistribute each segment to the corresponding group of firewalls.
• C.Configure two separate CIE instances, one for production and the other for development. Sync each instance to both AD and Okta.
• D.Create filters using CLI commands to filter "Prod," "DEV," and "QA" groups.

An administrator is configuring firewalls via a Panorama template to forward logs to a newly provisioned Strata Logging Service instance. The operational requirement is to maintain existing logging to on-premises Panorama log collectors for immediate, low-latency queries while also forwarding logs to Strata Logging Service for long-term archival. The administrator has already configured and enabled cloud logging connectivity.
Which additional step is necessary to meet the operational requirement?

• A.In the collector group settings, add the Strata Logging Service as a secondary destination for the on- premises collector.
• B.Enable duplicate logging (cloud and on-premises) under Device - > Setup - > Management in the appropriate templates.
• C.Enable log syncing and commit the template changes to both the on-premises and cloud collectors.
• D.Add the Panorama log collector and Strata Logging Service IP addresses to the cloud logging service routes to ensure dual-path cloud and on-premises reachability.

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

• A.Server monitoring
• B.Authentication Portal
• C.GlobalProtect
• D.X-Forwarded-For (XFF) headers