A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment. The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit. Which two Security policy requirements must be included in the implementation plan? (Choose two answers)

A. The default interzone-default security policy is sufficient to allow the tunnel negotiation traffic between the firewall and the remote peer.
B. A pair of policies is required to control the flow of data traffic into and out of the security zone assigned to the tunnel interface.
C. A policy must explicitly permit only the IKE application between the external-facing zone and local zone.
D. A policy must explicitly permit the IPSec container application between the external-facing zone and local zone.

Correct Answer: B,D

Brave-Dump Clients Votes

BD 100%

Comments

Franck 2026-01-11 17:05:48

Selected Answers: B, D

B. A pair of policies is required to control the flow of data traffic into and out of the security zone assigned to the tunnel
interface.
Once the tunnel is established, traffic passes through the tunnel interface, which belongs to a dedicated zone (e.g., VPN zone).

Therefore, two rules are required:

Local Zone => VPN Zone

VPN Zone => Local Zone

=> These rules control user traffic (data plane), not the negotiation.

D. A policy must explicitly permit the IPSec container application between the external-facing zone and local zone

For an IPSec tunnel to negotiate, the following must be allowed:

- IKE (UDP/500, UDP/4500)

- IPSec (ESP = protocol 50)

On PAN-OS, IPSec covers ESP and encapsulated NAT-T.
=> Without this rule, the tunnel will not be established.