Paloalto Networks Updated NGFW-Engineer Exam Questions and Answers by cade

Basic Concept: Preemptive hold time controls how long PAN-OS waits before returning to the primary route after path recovery.

Why B is Correct: A value of 0 causes immediate failback when the monitored primary path comes up.

Why A is Wrong: Lowest possible value greater than 0 is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Why C is Wrong: Default value is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Why D is Wrong: Feature disabled is a routing-related concept, but it is not the PAN-OS routing attribute, prerequisite, or route-selection behavior required by this question.

Basic Concept: Tunnel interface IP addresses are required for control functions carried over the tunnel, such as monitoring and dynamic routing adjacencies.

Why A and D are Correct: Tunnel monitoring and dynamic routing need an address on the tunnel interface; Proxy ID and IKEv2 support do not.

Why B is Wrong: Proxy ID configuration relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: IKEv2 protocol support relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Split tunnel access routes do not automatically control DNS resolution. Split DNS must specify which domains use VPN-assigned DNS servers.

Why A is Correct: Configuring split DNS with internal corporate domains sends those queries to corporate DNS while leaving public browsing DNS local.

Why B is Wrong: DNS Proxy feature on the firewall to point clients to the gateway IP for DNS relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why C is Wrong: "DNS Forwarding" option on the gateway's tunnel interface relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Why D is Wrong: NAT rule to allow DNS traffic from the GlobalProtect clients to the internal DNS servers relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.

Basic Concept: Explicit proxy makes the firewall the web proxy endpoint; users configure browsers to send web requests to the firewall, and the firewall creates the upstream server connection.

Why B is Correct: Explicit proxy is correct because it meets the requirement that the firewall, not the workstation, establishes outbound web sessions and enforces authentication.

Why A is Wrong: Transparent proxy is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why C is Wrong: GlobalProtect with User-ID is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.

Why D is Wrong: Decryption policy with Authentication Portal is a valid Palo Alto Networks or networking concept in another context, but it does not implement the exact configuration outcome required by this question.