Palo Alto Networks Certified Next-Generation Firewall Engineer

Here you have the best Palo Alto Networks NGFW-Engineer practice exam questions

You have 50 total questions to study from
Each page has 5 questions, making a total of 10 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on October 25, 2025
This site is not affiliated with or endorsed by Palo Alto Networks.

Question 1 of 50

To maintain security efficacy of its public cloud resources by using native tools, a company purchases Cloud NGFW credits to replicate the Panorama, PA-Series, and VM-Series devices used in physical data centers. Resources exist on AWS and Azure:
The AWS deployment is architected with AWS Transit Gateway, to which all resources connect
The Azure deployment is architected with each application independently routing traffic
The engineer deploying Cloud NGFW in these two cloud environments must account for the following:
Minimize changes to the two cloud environments
Scale to the demands of the applications while using the least amount of compute resources
Allow the company to unify the Security policies across all protected areas
Which two implementations will meet these requirements? (Choose two.)

Deploy a VM-Series firewall in AWS in each VPC, create an IPSec tunnel between AWS and Azure, and manage the policy with Panorama.

Deploy Cloud NGFW for Azure in vNET/s, update the vNET/s routing to path traffic through the deployed NGFWs, and manage the policy with Panorama.

Deploy Cloud NGFW for Azure in vWAN, create a vWAN to route all appropriate traffic to the Cloud NGFW attached to the vWAN, and manage the policy with local rules.

Deploy Cloud NGFW for AWS in a centralized Security VPC, update the Transit Gateway to route all appropriate traffic through the Security VPC, and manage the policy with Panorama.

Correct Answer: B, D

Question 2 of 50

During an upgrade to the routing infrastructure in a customer environment, the network administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall.
Which firewall models support this configuration?

PA-5280, PA-7080, PA-3250, VM-Series

PA-455, VM-Series, PA-1410, PA-5450

PA-3260, PA-5410, PA-850, PA-460

PA-7050, PA-1420, VM-Series, CN-Series

Correct Answer: A

Question 3 of 50

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.

The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.

For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.

The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.

Correct Answer: C, D

Question 4 of 50

Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?

It acts as a logging service for NGFW performance metrics.

It orchestrates real-time traffic inspection for network segments.

It provides Infrastructure-as-Code (IaC) to automate NGFW deployment.

It manages threat intelligence data synchronization with NGFWs.

Correct Answer: C

Question 5 of 50

By default, which type of traffic is configured by service route configuration to use the management interface?

Security zone

IPSec tunnel

Virtual system (VSYS)

Autonomous Digital Experience Manager (ADEM)

Correct Answer: D