Question 5 - Palo Alto Networks NGFW-Engineer Real Exam Questions [March 2026 Update]

Q: 5

What is a result of enabling split tunneling in the GlobalProtect portal configuration with the “Both Network Traffic and DNS” option?

Options

Discussion

Ivy B. Mar 9, 2026 2:51 am

D . This basically lets you control which domains resolve via the VPN DNS and which stick with local DNS, so fits what split tunneling does in GlobalProtect. Not 100% if there's a weird edge case, but pretty sure.

Quinn R. Mar 8, 2026 6:56 am

Option D Had something like this in a mock, and it matches how split tunneling with DNS works in GlobalProtect as far as I know.

Avery B. Feb 26, 2026 1:43 am

Option D not B. B feels like a trick since seamless FQDN is a different feature I think.

Anita V. Mar 2, 2026 2:48 am

Its B here. With split tunneling set this way, I'm thinking users can hit internal and external resources based on location but using the same FQDN. Not 100% sure, open to other views.

Daniel L. Mar 1, 2026 8:04 pm

D vs B, but pretty sure D is it since B mixes up features. Trap for those thinking seamless FQDN.

LoganN Feb 27, 2026 10:01 pm

Alex V. Mar 8, 2026 11:07 am

D every time here. That's the whole point of DNS split tunneling in GlobalProtect, you pick which domains go to each DNS.

PreciseDev4765 Feb 26, 2026 11:33 am

Pretty sure it's B. The way split tunneling works, when you enable both network and DNS, users get access to internal stuff locally and external stuff remotely, all using the same FQDN. I think that's what the option is saying.

Owen G. Feb 21, 2026 3:22 pm

I think B makes more sense for "Both Network Traffic and DNS" split tunneling, not D. B.

Ben G. Feb 20, 2026 4:53 am

D . C looks tempting if you're just thinking about DNS in general, but with GlobalProtect split tunneling and the "Both" option, it's all about specifying which domains use which DNS server. Seen this on other practice sets too.

Be respectful. No spam.

Correct Answer:

Explanation

Enabling split tunneling with the “Both Network Traffic and DNS” option in a GlobalProtect configuration allows for precise control over DNS resolution. This feature, often referred to as DNS-based split tunneling, directs the GlobalProtect agent to intercept all DNS queries on the endpoint. If a query matches a domain specified in the split-tunnel include list, the agent forwards it to the corporate DNS servers assigned by the VPN gateway. All other DNS queries for domains not on the list are forwarded to the endpoint's locally configured DNS servers. This ensures that internal corporate resources are resolved correctly by internal servers, while general internet traffic is resolved locally, optimizing performance and reducing load on the corporate network.

Why Incorrect

A. This is incorrect. The feature is not about primary versus secondary DNS server logic for redundancy, but about routing DNS queries to either the VPN's DNS or the local DNS based on the domain name.

B. This describes a use case known as split-brain DNS, which this feature can facilitate. However, the direct function of the setting is to control the DNS resolution path, not to manage FQDN-to-IP mappings based on location.

C. This misrepresents the feature's purpose. While it could potentially be misused to bypass local DNS filtering, its intended function is to correctly route corporate versus public traffic, not to circumvent security policies.

References

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"GlobalProtect > Configure Split Tunneling for the GlobalProtect Apps".

In the section "Split Tunneling Based on the Domain and Application

" the documentation states: "When you configure split tunneling based on domain

the GlobalProtect app on the endpoint intercepts all DNS requests. The app then compares the domain in the request to the domains in the split tunnel include list. If the domain in the request matches a domain in the include list

the app forwards the request to the private DNS server for resolution. If the domain in the request does not match a domain in the include list

the app forwards the request to the public DNS server for resolution." This directly supports the mechanism described in answer D.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0

"GlobalProtect > Configure Split Tunneling for the GlobalProtect Apps".

The section "DNS-Based Split Tunneling" explains: "To ensure that the app can resolve the IP addresses of the applications that you want to access through the tunnel

you must also configure the app to direct DNS queries for the specified domains to the private DNS server." This confirms that the configuration is about specifying which domains are resolved by which set of DNS servers (VPN-assigned vs. local).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE