50 Next-Generation Firewall Engineer Practice Questions: Question Bank 2025

A firewall has an interface configured as a DHCP client. The interface receives an IP address but users behind the firewall cannot reach the internet. Which additional configuration is most likely required for outbound connectivity?

You want to publish an internal web server to the internet using destination NAT. Which pair of policies is required for the traffic to succeed (assuming routing is correct)?

A security team wants to ensure that all DNS traffic from users is filtered by the firewall and that users cannot bypass it by using external resolvers. Which configuration is the best practice approach?

In Panorama, you want to centrally manage objects and policies for multiple firewalls, but each site needs its own unique address objects for local subnets. Which design best supports this requirement?

After committing a configuration, new sessions to a SaaS application start failing. Existing sessions continue to work. The traffic log shows the application as "incomplete" and the session end reason is "policy-deny". Which is the most likely cause?

A company wants to automate the creation of address objects and corresponding security rules from an internal CMDB. Which approach aligns best with Palo Alto Networks best practices for automation?

Two firewalls are configured in an active/passive HA pair. During a failover test, the new active firewall becomes active, but users report intermittent connectivity for several minutes. Which setting most directly reduces disruption by ensuring the upstream switch updates its MAC address table quickly?

You manage dozens of branch firewalls from Panorama. Each branch requires unique interface IP addressing, but security policies should be identical across all branches. Which Panorama components should you primarily use for each requirement?

A firewall uses Policy-Based Forwarding (PBF) to send specific application traffic to an alternate ISP link. Users report that return traffic sometimes takes a different path, causing session drops. Which design change most directly addresses this issue?

You must deploy a new security rule to all branch firewalls, but each branch has a different set of local address objects with the same names (for example, "Branch-Users"). In Panorama, the shared rule must reference the correct local object at each branch. What is the best way to accomplish this?

An administrator creates a new Security policy rule but traffic that should match it is still hitting a more general rule below it. The new rule is configured correctly for zones and addresses. What is the MOST likely cause?

A firewall has two default routes with equal metrics pointing to different ISPs. The administrator wants the firewall to automatically prefer ISP1, but fail over to ISP2 only if ISP1 becomes unreachable. Which feature should be used?

A firewall is configured for certificate-based authentication to GlobalProtect. Users report that authentication fails because the client cannot validate the firewall’s certificate chain. What is the BEST fix on the firewall?

A company uses Panorama with Device Groups for policy. They want a set of shared security rules to apply to ALL firewalls, but also need to allow each Device Group to add more-specific rules that can override the shared ones when needed. Which Panorama design BEST meets this requirement?

After committing a template stack from Panorama, several firewalls show 'Out of Sync' for templates. Device Group policy is in sync. Which action is the BEST next step to identify what is different?

A security team wants to enrich firewall logs with user identity for an environment where most endpoints are not domain-joined. Which approach is MOST appropriate to reliably map IP addresses to users?

A firewall administrator uses a custom URL category 'finance-tools' and adds it to a URL Filtering profile. Users report that a newly added domain in that custom category is still being allowed, despite the profile set to block 'finance-tools'. What is the MOST likely reason?

A company wants to automate address object updates in the firewall based on IP lists from a vulnerability scanner, without committing configuration changes every time the list changes. Which feature BEST fits this requirement?

A firewall in a routed deployment has an inside interface in zone TRUST and an outside interface in zone UNTRUST. Users can browse the internet, but return traffic for some applications intermittently fails. The security policy looks correct and NAT is configured. Which misconfiguration is MOST likely to cause intermittent return traffic issues?

An organization uses Panorama to manage 50 firewalls. They need to allow a site-local administrator to override ONLY the NTP server settings on their firewall, while preventing overrides of all other template-managed settings. What is the BEST approach?

A firewall administrator wants to reduce the attack surface on an internet-facing interface by ensuring the management plane is not reachable from that network. Which configuration is the best practice?

A company uses Panorama templates and device groups. The administrator needs to push identical NTP and DNS settings to all firewalls, regardless of their policy differences. Where should these settings be configured in Panorama?

An engineer is troubleshooting why a newly added VLAN interface cannot route to a remote subnet. The VLAN interface has an IP address and is in the correct virtual router, but traffic still drops. Which single check is MOST likely to reveal the issue?

A firewall is integrated with an external Syslog server. The security team reports that only Traffic logs are arriving, but Threat logs are missing. Which configuration is the most likely cause?

A company wants to standardize policy so that a global "block known bad destinations" rule is enforced on all firewalls, and local teams can add site-specific rules but cannot override the global block. Which Panorama approach best meets this requirement?

A firewall has two internet links and uses static routes with different metrics for failover. After an ISP outage, users report slow recovery because sessions remain pinned to the failed path. Which feature best addresses faster path recovery for existing sessions?

A company wants to automate address object updates from their IPAM system. The IPAM system can call HTTPS endpoints and send JSON. Which built-in firewall capability is most appropriate to receive these updates without requiring an agent on the firewall?

An administrator configures a new Security policy rule to allow an internal application, but sessions are still denied. The logs show the traffic hits an earlier rule that matches the same source/destination zones and services. Which action is the most appropriate fix?

A new firewall is managed by Panorama. The admin successfully pushes policy, but interface and routing settings do not change on the firewall after a commit and push. Which is the most likely reason?

A company wants to use Dynamic Address Groups (DAGs) based on VM tags from their virtualization platform. Some workloads frequently change IP addresses, and the security team wants policies to follow the workload automatically. Which design best achieves this with the least administrative overhead?

An engineer needs the firewall to automatically learn a new default route from the upstream router and fail over quickly if the link drops. Which configuration best meets this requirement?

A firewall has an external interface configured for DHCP. Users report intermittent loss of internet access after the upstream DHCP server renews the lease and changes the DNS servers. What is the best practice to ensure the firewall always uses the current DNS servers for services such as FQDN objects and updates?

You are deploying Panorama with multiple firewalls. The security team wants a standardized baseline of shared objects (address groups, services) across all devices, while still allowing each firewall to have local exceptions. Which Panorama construct best fits this requirement?

An engineer configures a NAT rule to allow internal users to browse the internet. Traffic hits the Security policy rule, but sessions show 'incomplete' and no return traffic. Which NAT setting is the most likely cause?

A company wants to integrate an external threat feed so that a list of malicious IPs is updated automatically on the firewall and used in policy. Which feature should the engineer implement?

In Panorama, an engineer needs to push interface and zone configuration to a set of firewalls, but ensure each firewall can have a different IP address on the same interface. What is the recommended approach?

A firewall must allow inbound access to a web server in the DMZ using its public IP. The engineer creates a Destination NAT rule to translate the public IP to the server. The inbound traffic is still denied. Which additional configuration is required for a functional and secure deployment?

An automation script uses the XML API to create a new address object and then commits the configuration. The object is created successfully, but the commit fails because another admin has uncommitted candidate changes. What is the best practice to avoid this conflict when automating changes?

A firewall uses multiple virtual routers. An engineer adds an interface to Virtual Router 2, but traffic sourced from that interface is not reaching networks learned in Virtual Router 1. What is the correct design to allow controlled route sharing between the two virtual routers?

In Panorama, a newly onboarded firewall does not appear in the correct device group after the engineer adds it. The firewall is connected and shows as managed. What is the most likely reason the policy is not being applied to the firewall?

An administrator wants to allow inbound HTTPS to a public web server hosted in a DMZ. The web server is accessed through a destination NAT that maps a public IP to the server’s private IP. Which address should be used in the Security policy rule’s destination field to correctly match the traffic?

Users in the corporate network must access SaaS applications using their corporate DNS servers, but the security team also wants the firewall to enforce DNS Security and log DNS queries. What is the recommended approach?

A firewall has multiple virtual routers. A host route for a critical SaaS IP must always use ISP1, even if a broader default route prefers ISP2. Which configuration ensures the most specific route is chosen?

An engineer configures an IPsec site-to-site VPN. Phase 1 comes up, but Phase 2 never establishes. The remote peer reports "no proposal chosen" during quick mode. What is the most likely cause?

A firewall uses multiple authentication sources. The administrator wants a consistent user-to-IP mapping across the environment and to reduce reliance on agent-based polling of domain controllers. Which solution best meets this requirement?

Panorama manages 50 firewalls. The security team wants to ensure a baseline set of Security profiles (e.g., Antivirus, Anti-Spyware, Vulnerability) is applied consistently to all internet-bound Security rules, while still allowing local exceptions per firewall. What is the best design approach?

A new firewall is added to Panorama, but it does not appear in the correct template stack after onboarding. The administrator confirms the firewall is connected and shows as "Connected" in Panorama. What is the most likely reason the configuration is not being applied?

A team uses Panorama device groups for policy. They want a deny rule to always be evaluated last, regardless of local admin changes, and they do not want local admins to override it with more permissive rules. Where should this deny rule be placed?

A firewall has asymmetric routing due to multiple paths in the network. Sessions intermittently fail, and traffic logs show incomplete TCP handshakes. What firewall feature is typically used to handle asymmetric routing for certain traffic flows?

An engineer wants to automate adding a list of known malicious IPs to a dynamic block list on a firewall without manually editing Security policy rules. Which Palo Alto Networks feature best fits this use case?