NGFW-Engineer 試験問題を無料オンラインアクセス

A government agency needs to ensure that all user web access is explicitly mediated and authenticated.
The agency has the following requirements:
* Client browsers must be manually configured to send traffic to the firewall's IP address and a specific port.
* The firewall must support seamless single sign-on (SSO) with the users' existing Active Directory credentials.
Which feature set should the engineer configure to meet the agency's requirements?

• A.Web proxy in explicit mode with an Authentication policy by using Kerberos
• B.Decryption policy that redirects users to a SAML identity provider for authentication
• C.User-ID agent integration with Authentication Portal for authentication
• D.Web proxy in transparent mode with an Authentication policy by using multi-factor authentication (MFA)

What is the primary use case for the CN-Series NGFW?

• A.Providing security for physical data center perimeters (north-south)
• B.Protecting mobile users and remote branch offices (east-west)
• C.Enforcing Security policies between pods in a Kubernetes environment (east-west)
• D.Securing traffic in and out of a public cloud VPC or VNet (north-south)

A holding company has recently acquired two new businesses, each with its own Okta identity provider. The holding company wants to use a single Cloud Identity Engine (CIE) instance to provide User-ID for all three organizations' firewalls. However, for legal reasons, the firewalls of Company A must only receive identity data from Company A's Okta instance, and the firewalls of Company B must only receive data from Company B's Okta instance.
Which configuration in CIE supports this requirement with highest operational efficiency?

• A.Push all identity data to Panorama and use Panorama's group mapping include/exclude lists to control what each firewall learns.
• B.Create a master CIE tenant for the holding company and peer it with two subordinate tenants, one for each acquired business.
• C.Configure a CIE tenant, connect Okta, and create segments.
• D.Configure the firewalls for each company to query their respective Okta IdPs directly, bypassing CIE for redistribution.

An administrator needs to perform several maintenance tasks on a managed firewall directly from the Panorama console without using the Context Switch feature.
Which set of tasks can the administrator fully execute from the Panorama UI?

• A.Create a new zone.
  Configure a new virtual router.
  View the local ACC on the firewall.
• B.Download and install a new content update.
  View current firewall session details.
  Initiate a device reboot.
• C.Edit a post-rule.
  Create a new certificate profile.
  Configure the firewall's hostname.
• D.Modify the IP address of a Layer 3 interface.
  Configure a new local administrator account.
  Edit a pre-rule.

An network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component.
Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status?

• A.SSL/TLS service profile
• B.Forward trust certificate
• C.Certificate revocation checking
• D.Decryption profile