Page 1 of 86
Palo Alto Networks Next-Generation
Firewall Engineer Exam Questions with
Correct Answers & Explanations | Graded
A+ Study Guide.instant download pdf
Q1. A packet enters a Palo Alto Networks firewall. In which
order are security functions applied to the packet?
✅ C. Security policy lookup (App-ID, User-ID, Content-ID) →
Decryption → Forwarding
Rationale: The packet flow sequence on a Palo Alto firewall is:
Ingress interface → Security policy lookup (including App-ID,
User-ID, and Content-ID) → Decryption (if applicable) →
Forwarding to egress interface. This "single-pass" architecture is
fundamental to Palo Alto's performance .
,Page 2 of 86
Q2. Which plane is responsible for processing control plane
traffic such as BGP, OSPF, and management sessions?
✅ B. Management Plane
Rationale: The Management Plane handles control functions,
management sessions (SSH, HTTPS), and dynamic routing
protocols. The Data Plane processes user traffic through security
policies .
Q3. Which configuration must be made on the firewall before
it can read User-ID-to-IP-address mapping tables from an
external source?
✅ D. User-ID Agents
Rationale: The firewall must have User-ID Agents configured to
receive mapping information from directory services (Active
Directory, LDAP). Group Mapping Settings are for group
membership; Server Monitoring is for server availability .
,Page 3 of 86
Q4. An administrator creates a Security policy rule that allows
office-on-demand traffic. The firewall issues a warning:
"Application 'office-on-demand' requires 'ms-office365-base',
'sharepoint-online', 'ssl', and 'web-browsing' be allowed."
What should the administrator do?
✅ C. Create an application group that includes office-on-
demand and its dependent applications
Rationale: Some applications depend on underlying protocols
(e.g., SSL, web-browsing) or core services. The best practice is to
create an application group containing the primary application
and its dependencies to ensure proper traffic flow .
Q5. In an Active/Passive high availability pair, what happens
when an IPsec tunnel security association (SA) is established
on the active firewall?
✅ A. Phase 2 SAs are synchronized over HA2 links
, Page 4 of 86
Rationale: In Active/Passive HA pairs, Phase 2 SAs are
synchronized via the HA2 data link. Phase 1 SAs are NOT
synchronized; they must be re-established on failover .
Q6. Which firewall mode provides transparent inspection of
network traffic without requiring IP address changes?
✅ C. Virtual Wire (vwire) mode
Rationale: Virtual Wire mode connects two interfaces without
requiring IP addressing, allowing the firewall to be inserted into
any network segment transparently while still applying all
security policies .
Q7. A company requires inspection of every connection
between two internal computers in an environment without a
DHCP server. How should traffic be forwarded between those
internal computers?
Palo Alto Networks Next-Generation
Firewall Engineer Exam Questions with
Correct Answers & Explanations | Graded
A+ Study Guide.instant download pdf
Q1. A packet enters a Palo Alto Networks firewall. In which
order are security functions applied to the packet?
✅ C. Security policy lookup (App-ID, User-ID, Content-ID) →
Decryption → Forwarding
Rationale: The packet flow sequence on a Palo Alto firewall is:
Ingress interface → Security policy lookup (including App-ID,
User-ID, and Content-ID) → Decryption (if applicable) →
Forwarding to egress interface. This "single-pass" architecture is
fundamental to Palo Alto's performance .
,Page 2 of 86
Q2. Which plane is responsible for processing control plane
traffic such as BGP, OSPF, and management sessions?
✅ B. Management Plane
Rationale: The Management Plane handles control functions,
management sessions (SSH, HTTPS), and dynamic routing
protocols. The Data Plane processes user traffic through security
policies .
Q3. Which configuration must be made on the firewall before
it can read User-ID-to-IP-address mapping tables from an
external source?
✅ D. User-ID Agents
Rationale: The firewall must have User-ID Agents configured to
receive mapping information from directory services (Active
Directory, LDAP). Group Mapping Settings are for group
membership; Server Monitoring is for server availability .
,Page 3 of 86
Q4. An administrator creates a Security policy rule that allows
office-on-demand traffic. The firewall issues a warning:
"Application 'office-on-demand' requires 'ms-office365-base',
'sharepoint-online', 'ssl', and 'web-browsing' be allowed."
What should the administrator do?
✅ C. Create an application group that includes office-on-
demand and its dependent applications
Rationale: Some applications depend on underlying protocols
(e.g., SSL, web-browsing) or core services. The best practice is to
create an application group containing the primary application
and its dependencies to ensure proper traffic flow .
Q5. In an Active/Passive high availability pair, what happens
when an IPsec tunnel security association (SA) is established
on the active firewall?
✅ A. Phase 2 SAs are synchronized over HA2 links
, Page 4 of 86
Rationale: In Active/Passive HA pairs, Phase 2 SAs are
synchronized via the HA2 data link. Phase 1 SAs are NOT
synchronized; they must be re-established on failover .
Q6. Which firewall mode provides transparent inspection of
network traffic without requiring IP address changes?
✅ C. Virtual Wire (vwire) mode
Rationale: Virtual Wire mode connects two interfaces without
requiring IP addressing, allowing the firewall to be inserted into
any network segment transparently while still applying all
security policies .
Q7. A company requires inspection of every connection
between two internal computers in an environment without a
DHCP server. How should traffic be forwarded between those
internal computers?
