View all questions & answers for the Palo Alto Next-Generation Firewall Engineer Exam Materials exam
Question 11 Discussion
Comments
Selected Answers: A, B
Refuting Option C ("Separate rules MUST be created"):
The Trap: Many people think you must have one rule for Trust -> VPN and another for VPN -> Trust.
The Reality: PAN-OS allows Universal rules. You can create a single security policy where the Source Zone is [Trust, VPN] and the Destination Zone is [Trust, VPN]. This one rule allows traffic in both directions.
Conclusion: Because a single rule can work, creating separate rules is Optional, not "Must." (Making Option A the winner).
Refuting Option D ("IKE... denied by default via interzone"):
The Trap: This assumes the IKE negotiation happens between different zones.
The Reality: IKE (UDP 500/4500) occurs between the External Interfaces of the firewalls.
Your External Interface = Untrust Zone.
Peer's External IP = Untrust Zone (from your firewall's perspective).
The Logic: Traffic from Untrust to Untrust is Intrazone traffic.
Default Behavior: The default action for Intrazone traffic on Palo Alto firewalls is Allow.
Conclusion: IKE is allowed by default because it is Intrazone, not Interzone. (Making Option B the winner).
Selected Answers: A, B
look here the reference.
check step 7
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two answers)
Brave-Dump Clients Votes