Online Access Free NGFW-Engineer Exam Questions

Which CLI command is used to configure the management interface as a DHCP client?

• A.set deviceconfig management type dhcp-client
• B.set network dhcp interface management
• C.set deviceconfig system type dhcp-client
• D.set network dhcp type management-interface

In regard to the Advanced Routing Engine (ARE), what must be enabled first when configuring a logical router on a PAN-OS firewall?

• A.General setting
• B.License
• C.Content update
• D.Plugin

During an upgrade to the routing infrastructure in a customer environment, the network administrator wants to implement Advanced Routing Engine (ARE) on a Palo Alto Networks firewall.
Which firewall models support this configuration?

• A.PA-455, VM-Series, PA-1410, PA-5450
• B.PA-3260, PA-5410, PA-850, PA-460
• C.PA-5280, PA-7080, PA-3250, VM-Series
• D.PA-7050, PA-1420, VM-Series, CN-Series

What is the purpose of assigning an Admin Role Profile to a user in a Palo Alto Networks NGFW?

• A.Enable multi-factor authentication (MFA) for administrator access.
• B.Restrict access to sensitive report data.
• C.Define granular permissions for management tasks.
• D.Allow access to all resources without restrictions.

A large enterprise wants to implement certificate-based authentication for both users and devices, using an on-premises Microsoft Active Directory Certificate Services (AD CS) hierarchy as the primary certificate authority (CA). The enterprise also requires Online Certificate Status Protocol (OCSP) checks to ensure efficient revocation status updates and reduce the overhead on its NGFWs. The environment includes multiple Active Directory forests, Panorama management for several geographically dispersed firewalls, GlobalProtect portals and gateways needing distinct certificate profiles for users and devices, and strict Security policies demanding frequent revocation checks with minimal latency.
Which approach best addresses these requirements while maintaining consistent policy enforcement?

• A.Distribute the root and intermediate CA certificates via Panorama as shared objects to ensure all firewalls have a consistent trust chain. Configure OCSP responder profiles on each firewall to offload revocation checks to an internal OCSP server while keeping CRL checks as a fallback. Maintain separate certificate profiles for user and device authentication and use an automated enrollment method - such as Group Policy or SCEP - to deploy certificates to endpoints.
• B.Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall's local certificate store for authentication.
• C.Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency.
• D.Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CA. Turn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices.