Online Access Free NGFW-Engineer Exam Questions

In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

• A.To perform session cache synchronization among all HA peers having the same cluster ID
• B.To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information
• C.To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair
• D.To forward packets to the HA peer during session setup and asymmetric traffic flow

Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?

• A.GlobalProtect, traffic, application statistics
• B.Threat, GlobalProtect, application statistics, WildFire submissions
• C.Traffic, threat, data filtering, User-ID
• D.Traffic, User-ID, URL

An administrator plans to upgrade a pair of active/passive firewalls to a new PAN-OS release. The environment is highly sensitive, and downtime must be minimized.
What is the recommended upgrade process for minimal disruption in this high availability (HA) scenario?

• A.Isolate both firewalls from the production environment and upgrade them in a separate, offline setup. Reconnect them only after validating the new software version, resuming HA functionality once both units are fully upgraded and tested.
• B.Shut down the currently active firewall and upgrade it offline, allowing the passive firewall to handle all traffic. Once the active firewall finishes upgrading, bring it back online and rejoin the HA cluster. Finally, upgrade the passive firewall while the newly upgraded unit remains active.
• C.Suspend the active firewall to trigger a failover to the passive firewall. With traffic now running on the former passive unit, upgrade the suspended (now passive) firewall and confirm proper operation. Then fail traffic back and upgrade the remaining firewall.
• D.Push the new PAN-OS version simultaneously to both firewalls, having them upgrade and reboot in parallel. Rely on automated HA reconvergence to restore normal operations without manually failing over traffic.

Which interface types should be used to configure link monitoring for a high availability (HA) deployment on a Palo Alto Networks NGFW?

• A.Virtual Wire, Layer 2, and Layer 3
• B.HA, Layer 2. and Layer 3
• C.Tap, Virtual Wire, and Layer 3
• D.HA, Virtual Wire, and Layer 2

Which configuration step is required when implementing a new self-signed root certificate authority (CA) certificate for SSL decryption on a Palo Alto Networks firewall?

• A.Configure the subordinate CA to issue certificates with indefinite validity periods.
• B.Import the new subordinate CA certificate into the trust stores of all client devices.
• C.Set the subordinate CA certificate as the default routing certificate for all network traffic.
• D.Disable all existing SSL decryption rules until the new certificate is fully propagated.