Next-Generation Firewall Engineer Intermediate Practice Exam: Medium Difficulty 2025

A branch office has two ISP links. Users must use ISP1 for all business traffic, but SaaS applications (Microsoft 365 and Salesforce) should automatically fail over to ISP2 if ISP1 has increased packet loss, even if the link is still up. Which design best meets the requirement on a Palo Alto Networks firewall?

You are migrating a remote site from a legacy firewall to a Palo Alto Networks NGFW. The site uses two internal VLANs on a single trunk to a switch, and the security team requires segmentation with separate security zones per VLAN. What is the most appropriate interface configuration on the firewall?

After enabling SSL decryption for outbound web traffic, users report that access to a banking website fails, and the firewall logs show certificate errors for that site. The security team wants decryption for general web browsing but must allow banking sites to function without interruption. What is the best next step?

A firewall has three security zones: Trust, DMZ, and Untrust. A web server in the DMZ must be reachable from the internet on HTTPS, and administrators want to see the public destination in traffic logs (not the internal server IP). Which NAT configuration best meets the requirement?

A firewall has two internal routers that can reach the same corporate networks. You want the firewall to automatically prefer the better path and fail over if a route is withdrawn, without using static routes. Which approach is most appropriate?

Users authenticate to the firewall with LDAP. You need to enforce different Security policies based on AD group membership, but you also want usernames to appear in logs for IP-based sessions without requiring explicit authentication at every application. Which configuration best meets these requirements?

You manage 40 firewalls with Panorama. A new outbound web-browsing policy must be deployed to all sites, but each site has its own local internet interface and zone names differ slightly. You want to minimize per-firewall customization while keeping a single common policy. What is the best Panorama approach?

A team wants to ensure that a specific set of Security rules (baseline threat prevention and logging) is enforced across all firewalls, and local administrators must not override or disable these rules. How should the rules be positioned in Panorama?

Panorama manages multiple firewalls, and you need to deploy a new set of interfaces and zones to a subset of devices while keeping existing shared settings. Some devices already receive a base template, but you must add site-specific settings without duplicating the base. What should you use?

A SOC wants to automatically block IPs reported by an external threat feed and use those indicators in Security policy without manual updates. The solution must update frequently and be manageable on the firewall. Which feature best fits?