[2025年09月12日] 最速準備で試験合格!NGFW-Engineer問題の事前予備 [Q14-Q31]

Share

[2025年09月12日] 最速準備で試験合格!NGFW-Engineer問題の事前予備

NGFW-EngineerのPDF問題集リアル2025最近更新された問題


Palo Alto Networks NGFW-Engineer 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • 統合と自動化:このセクションでは、様々な環境にPalo Alto Networks NGFWを導入・管理する自動化エンジニアのスキルを評価します。PAシリーズ、VMシリーズ、CNシリーズ、クラウドNGFWのインストールが含まれます。自動化のためのAPIの活用、KubernetesやTerraformなどのサードパーティサービスとの統合、Panoramaテンプレートとデバイスグループによる一元管理、アプリケーション・コマンド・センター(ACC)でのカスタムダッシュボードとレポートの構築などが主要なトピックです。
トピック 2
  • PAN-OSデバイス設定の構成:このセクションでは、PAN-OSにおけるデバイス設定の構成に関するシステム管理者の専門知識を評価します。認証ロールとプロファイルの実装、インターフェース、ゾーン、ルーター、および仮想システム間セキュリティを備えた仮想システムの構成が含まれます。Strata Logging Serviceやログ転送などのログメカニズムに加え、ソフトウェアアップデートやPKI統合および復号化のための証明書管理についても解説します。また、Cloud Identity EngineのユーザーID機能とWebプロキシ設定の構成についても重点的に扱います。
トピック 3
  • PAN-OS ネットワーク構成:このセクションでは、PAN-OS 内のネットワークコンポーネントを構成するネットワークエンジニアのスキルを評価します。レイヤー 2、レイヤー 3、仮想ワイヤ、トンネルインターフェース、およびアグリゲートイーサネット構成にわたるインターフェース設定を網羅しています。さらに、ゾーン作成、高可用性構成(アクティブ
  • アクティブおよびアクティブ
  • パッシブ)、ルーティングプロトコル、ポータル、ゲートウェイ、認証、トンネリングのための GlobalProtect 設定も網羅しています。さらに、IPSec、耐量子暗号、GRE トンネルについても取り上げます。

 

質問 # 14
Which zone type allows traffic between zones in different virtual systems (VSYS), without the traffic leaving the firewall?

  • A. Isolated
  • B. External
  • C. Internal
  • D. Transient

正解:D

解説:
The Transient zone type is used to allow traffic between zones in different virtual systems (VSYS) on a Palo Alto Networks firewall without the traffic leaving the firewall. It provides a way for virtual systems to communicate with each other by acting as a temporary or intermediary zone. Traffic can pass through the firewall between the virtual systems without requiring physical interfaces or leaving the device.


質問 # 15
Which interface types should be used to configure link monitoring for a high availability (HA) deployment on a Palo Alto Networks NGFW?

  • A. HA, Layer 2. and Layer 3
  • B. Tap, Virtual Wire, and Layer 3
  • C. HA, Virtual Wire, and Layer 2
  • D. Virtual Wire, Layer 2, and Layer 3

正解:D

解説:
When configuring link monitoring for high availability (HA) on a Palo Alto Networks NGFW, the following interface types are supported:
Virtual Wire: Used when you have a transparent mode firewall deployment, where the firewall operates at Layer 2 to monitor traffic between two network segments.
Layer 2: Also used in transparent mode, where the firewall operates as a Layer 2 device and can be configured for link monitoring.
Layer 3: Used in routed mode, where the firewall is involved in routing traffic and can also be configured to monitor links.


質問 # 16
In an active/active high availability (HA) configuration with two PA-Series firewalls, how do the firewalls use the HA3 interface?

  • A. To perform session cache synchronization among all HA peers having the same cluster ID
  • B. To exchange hellos, heartbeats, HA state information, and management plane synchronization for routing and User-ID information
  • C. To synchronize sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in an HA pair
  • D. To forward packets to the HA peer during session setup and asymmetric traffic flow

正解:A

解説:
In an active/active HA configuration with two PA-Series firewalls, the HA3 interface is used primarily for the exchange of HA state information between the firewalls. This includes:
Hellos and heartbeats to monitor the status of the HA peer.
Synchronization of management plane data, which includes critical routing and User-ID information.


質問 # 17
After an engineer configures an IPSec tunnel with a Cisco ASA, the Palo Alto Networks firewall generates system messages reporting the tunnel is failing to establish.
Which of the following actions will resolve this issue?

  • A. Configure the Proxy IDs to match the Cisco ASA configuration.
  • B. Ensure that an active static or dynamic route exists for the VPN peer with next hop as the tunnel interface.
  • C. Validate the tunnel interface VLAN against the peer's configuration.
  • D. Check that IPSec is enabled in the management profile on the external interface.

正解:A

解説:
The Proxy IDs (or Traffic Selectors) define the local and remote subnets that are allowed to communicate over the IPSec tunnel. If the Proxy IDs on the Palo Alto Networks firewall do not match the configuration on the Cisco ASA, the tunnel will fail to establish because the firewalls won't agree on which traffic to encrypt. Ensuring that the Proxy IDs match between the Palo Alto Networks firewall and the Cisco ASA will resolve the issue.


質問 # 18
An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.
Which additional configuration task is required to resolve this issue?

  • A. Add each VSYS to the list of visible virtual systems of the other VSYS.
  • B. Create Security policies to allow the traffic between the two external zones.
  • C. Enable the "allow inter-VSYS traffic" option in both external zone configurations.
  • D. Create a transit VSYS and route all inter-VSYS traffic through it.

正解:A

解説:
In Palo Alto Networks firewalls, each virtual system (VSYS) is typically isolated from other VSYSs, meaning that traffic between different VSYSs cannot pass through the firewall by default. In this case, since the interfaces for each VSYS are assigned to separate virtual routers (VRs), and the desired traffic is still not passing between the two VSYSs, the firewall needs to be explicitly configured to allow traffic between them.
The required configuration is to add each VSYS to the list of visible virtual systems of the other VSYS. This allows inter-VSYS communication to be enabled, effectively permitting the traffic to pass between the zones of different VSYSs.


質問 # 19
Which forwarding methods can be used on the Objects tab when configuring the Log Forwarding profile?

  • A. Panorama, syslog, email
  • B. Syslog, HTTP, NetFlow
  • C. SNMP, HTTP, RADIUS
  • D. Panorama, ADEM, syslog

正解:A

解説:
When configuring the Log Forwarding profile on a Palo Alto Networks firewall, the forwarding methods available include:
Panorama: For forwarding logs to a Panorama management system.
Syslog: For forwarding logs to a syslog server.
Email: For sending logs via email.


質問 # 20
Which two statements describe an external zone in the context of virtual systems (VSYS) on a Palo Alto Networks firewall? (Choose two.)

  • A. It is not associated with an interface; it is associated with a VSYS itself.
  • B. It is associated with an interface within a VSYS of a firewall.
  • C. It is a security object associated with a specific VSYS.
  • D. It is a security object associated with a specific virtual router of a VSYS.

正解:B、C

解説:
In the context of virtual systems (VSYS) on a Palo Alto Networks firewall, the external zone is typically associated with specific interfaces within a VSYS. Zones are fundamental security objects used to define traffic flow between interfaces, and the external zone would be used for interfaces that connect to external networks.
An external zone is associated with an interface within a VSYS of the firewall. This ensures that traffic from specific interfaces can be classified as belonging to the external zone, allowing the firewall to apply appropriate security policies.
The external zone is indeed a security object that is specific to a given VSYS, as each VSYS can have its own set of zones that are isolated from others.


質問 # 21
By default, which type of traffic is configured by service route configuration to use the management interface?

  • A. Autonomous Digital Experience Manager (ADEM)
  • B. Security zone
  • C. Virtual system (VSYS)
  • D. IPSec tunnel

正解:A

解説:
By default, the Autonomous Digital Experience Manager (ADEM) traffic is configured to use the management interface in a Palo Alto Networks firewall. The management interface is typically used for management-related traffic, such as monitoring and logging, and it is configured to handle ADEM-related traffic for the optimal performance of digital experience monitoring features.
This default configuration helps ensure that ADEM traffic does not interfere with regular traffic that may traverse other interfaces, such as traffic from security zones or IPSec tunnels.


質問 # 22
What must be configured before a firewall administrator can define policy rules based on users and groups?

  • A. LDAP Server profile
  • B. Group mapping settings
  • C. User Mapping profile
  • D. Authentication profile

正解:B

解説:
Before a firewall administrator can define policy rules based on users and groups, the Group Mapping settings must be configured. These settings enable the firewall to map users to their respective Active Directory (AD) groups. This mapping allows the firewall to use user and group information to create policy rules based on group membership.


質問 # 23
A PA-Series firewall with all licensable features is being installed. The customer's Security policy requires that users do not directly access websites. Instead, a security device must create the connection, and there must be authentication back to the Active Directory servers for all sessions.
Which action meets the requirements in this scenario?

  • A. Deploy the transparent proxy with Web Cache Communications Protocol (WCCP).
  • B. Deploy the Next-Generation Firewalls as normal and install the User-ID agent.
  • C. Deploy the Advanced URL Filtering license and captive portal.
  • D. Deploy the explicit proxy with Kerberos authentication scheme.

正解:D

解説:
In this scenario, the customer requires that users do not directly access websites and that a security device (the firewall) manages the connection, while also ensuring that there is authentication back to the Active Directory (AD) servers for all sessions. The explicit proxy with Kerberos authentication is the best solution because:
The explicit proxy allows the firewall to intercept user web traffic and manage the connections on behalf of users.
Kerberos authentication ensures that the user's identity is validated against the Active Directory servers before the session is allowed, fulfilling the authentication requirement.


質問 # 24
Which set of options is available for detailed logs when building a custom report on a Palo Alto Networks NGFW?

  • A. GlobalProtect, traffic, application statistics
  • B. Traffic, User-ID, URL
  • C. Threat, GlobalProtect, application statistics, WildFire submissions
  • D. Traffic, threat, data filtering, User-ID

正解:D

解説:
When building a custom report on a Palo Alto Networks NGFW, you can select detailed logs that provide specific insights into various aspects of firewall activity. The available options for detailed logs typically include:
Traffic logs: These provide information on the network traffic passing through the firewall.
Threat logs: These logs capture data related to identified security threats, such as malware or intrusion attempts.
Data filtering logs: These logs capture events related to data filtering policies, such as preventing the transfer of sensitive data.
User-ID logs: These logs associate user identities with the traffic and activities observed on the firewall, enabling user-based policy enforcement.


質問 # 25
An NGFW engineer is configuring multiple Layer 2 interfaces on a Palo Alto Networks firewall, and all interfaces must be assigned to the same VLAN. During initial testing, it is reported that clients located behind the various interfaces cannot communicate with each other.
Which action taken by the engineer will resolve this issue?

  • A. Enable IP routing between the interfaces and configure a Security policy to allow traffic between interfaces within the VLAN.
  • B. Assign each interface to the appropriate Layer 2 zone and configure a policy that allows traffic within the VLAN.
  • C. Assign each interface to the appropriate Layer 2 zone and configure Security policies for interfaces not assigned to the same zone.
  • D. Configure each interface to belong to the same Layer 2 zone and enable IP routing between them.

正解:B

解説:
In a Layer 2 configuration, interfaces are typically grouped into the same Layer 2 zone. When the interfaces are assigned to the same VLAN, the firewall will treat them as part of the same broadcast domain.
In a Layer 2 setup, interfaces must be in the same Layer 2 zone to allow the traffic within the same VLAN to pass. Additionally, a security policy must be configured to allow traffic within this VLAN or zone. This will resolve the issue by ensuring that traffic is permitted between clients behind different interfaces assigned to the same VLAN.


質問 # 26
Which configuration in the LACP tab will enable pre-negotiation for an Aggregate Ethernet (AE) interface on a Palo Alto Networks high availability (HA) active/passive pair?

  • A. Set passive link state to "Auto."
  • B. Set "Enable in HA Passive State."
  • C. Set LACP mode to "Active."
  • D. Set Transmission Rate to "fast."

正解:B

解説:
In a High Availability (HA) active/passive pair configuration, when setting up an Aggregate Ethernet (AE) interface, enabling the "Enable in HA Passive State" option allows the interface to participate in LACP (Link Aggregation Control Protocol) even when the system is in the passive state. This ensures that the pre-negotiation of the LACP link occurs, allowing the link aggregation to be ready as soon as the firewall becomes active.


質問 # 27
In a Palo Alto Networks environment, GlobalProtect has been enabled using certificate-based authentication for both users and devices. To ensure proper validation of certificates, one or more certificate profiles are configured.
What function do certificate profiles serve in this context?

  • A. They define trust anchors (root / intermediate Certificate Authorities (CAs)), specify revocation checks (CRL/OCSP), and map certificate attributes (e.g., CN) for user or device authentication.
  • B. They provide a one-click mechanism to distribute certificates to all endpoints without relying on external enrollment methods.
  • C. They store private keys for users and devices, effectively allowing the firewall to issue or reissue certificates if the primary Certificate Authority (CA) becomes unavailable, providing a built-in fallback CA to maintain continuous certificate issuance and authentication.
  • D. They allow the firewall to bypass certificate validation entirely, focusing only on username / password-based authentication.

正解:A

解説:
In the context of GlobalProtect with certificate-based authentication, certificate profiles are used to ensure proper validation of the certificates. They perform the following functions:
Define trust anchors, which are the root and intermediate Certificate Authorities (CAs) that the firewall trusts to authenticate certificates.
Specify revocation checks, such as CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol), to ensure that the certificates being used have not been revoked.
Map certificate attributes, such as the Common Name (CN), which helps in authenticating users and devices based on their certificates.


質問 # 28
Which statement describes the role of Terraform in deploying Palo Alto Networks NGFWs?

  • A. It provides Infrastructure-as-Code (IaC) to automate NGFW deployment.
  • B. It orchestrates real-time traffic inspection for network segments.
  • C. It manages threat intelligence data synchronization with NGFWs.
  • D. It acts as a logging service for NGFW performance metrics.

正解:A

解説:
Terraform is an Infrastructure-as-Code (IaC) tool that automates the provisioning and management of infrastructure resources, including Palo Alto Networks Next-Generation Firewalls (NGFWs). By using Terraform configuration files, administrators can define and deploy NGFW instances across cloud environments (such as AWS, Azure, and GCP) efficiently and consistently.
Terraform enables:
Automated firewall deployment in cloud environments.
Configuration of security policies and networking settings in a declarative manner.
Scalability and repeatability, reducing manual intervention in firewall provisioning.


質問 # 29
When configuring a Zone Protection profile, in which section (protection type) would an NGFW engineer configure options to protect against activities such as spoofed IP addresses and split handshake session establishment attempts?

  • A. Reconnaissance Protection
  • B. Flood Protection
  • C. Protocol Protection
  • D. Packet-Based Attack Protection

正解:C

解説:
In the context of a Zone Protection profile, Protocol Protection is the section used to configure protections against activities such as spoofed IP addresses and split handshake session establishment attempts. These types of attacks typically involve manipulating protocol behaviors, such as IP address spoofing or session hijacking, and are mitigated by the Protocol Protection settings.


質問 # 30
Which statement applies to the relationship between Panorama-pushed Security policy and local firewall Security policy?

  • A. When a policy match is found in a local firewall policy, if any Panorama shared post-rule is configured, it will still be evaluated.
  • B. Panorama post-rules can be configured to be evaluated before local firewall policy for the purpose of troubleshooting.
  • C. Local firewall rules are evaluated after Panorama pre-rules and before Panorama post-rules.
  • D. The order of policy evaluation can be configured differently in different device groups.

正解:C

解説:
Local firewall rules are evaluated after Panorama pre-rules (those applied before the firewall's local policies) and before Panorama post-rules (those applied after the firewall's local policies). This ensures that the local firewall rules do not override the central Panorama policy and are only applied in the appropriate order within the policy evaluation sequence.


質問 # 31
......

NGFW-Engineer問題集と練習テスト(52試験問題):https://www.passtest.jp/Palo-Alto-Networks/NGFW-Engineer-shiken.html

リリースPalo Alto Networks NGFW-Engineer更新された問題PDF:https://drive.google.com/open?id=1L6LkFWFVbOOXJtiWArQE52jp6UPaK1uG