Demo Palo alto Networks NGFW-Engineer Exam Questions

Demo practice questions for guest users.

Section: Practice Mode 8 Questions

Demo Practice

Back To Exam

Question 1

An administrator is configuring a site-to-site IPSec VPN and assigns an IP address to the tunnel interface.
Which two abilities are enabled by this specific configuration step? (Choose two.)

A

Configuring tunnel monitoring to verify the liveliness of the connection.

B

Firewall performing NAT traversal.

C

Running a dynamic routing protocol like OSPF over the tunnel.

D

Firewall encrypting and decrypting packet payloads.

Correct Answer: A, C

Explanation:

Basic Concept: A tunnel interface IP address enables Layer 3 functions that require the firewall to source or receive traffic over the tunnel itself.
Why A and C are Correct: Tunnel monitoring and dynamic routing require an IP address on the tunnel interface; encryption and NAT traversal do not depend on that address.
Why B is Wrong: Firewall performing NAT traversal. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why D is Wrong: Firewall encrypting and decrypting packet payloads. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Question 2

When considering the various methods for User-ID to learn user-to-IP address mappings, which source is considered the most accurate due to the mapping being explicitly created through an authentication event directly with the firewall?

A

X-Forwarded-For (XFF) headers

B

Server monitoring

C

GlobalProtect

D

Authentication Portal

Correct Answer: D

Explanation:

Basic Concept: Authentication Portal creates User-ID mappings from a direct user authentication event on the firewall, making it more explicit than mappings inferred from server logs.
Why D is Correct: Authentication Portal is correct because the firewall itself validates the user and records the source IP mapping.
Why A is Wrong: X-Forwarded-For (XFF) headers is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Why B is Wrong: Server monitoring is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.
Why C is Wrong: Global Protect is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

‹
1
2
3

Demo Practice Mode

You are viewing only the questions marked as Demo.