Free Palo Alto Networks NGFW-Engineer Actual Exam Questions - Question 3 Discussion
between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)
I’m thinking B might not be right since the intrazone default allow usually applies within the same zone, but IPSec traffic is often interzone. Could it be A instead of C? Or is the separate rule really mandatory?
It’s definitely C and D for me. You can’t rely on a single rule for both directions when it comes to IPSec tunnels; each direction needs its own rule. Plus, the interzone default deny policy means you have to explicitly allow IKE and IPSec/ESP packets, so those don’t get through automatically. Option B can’t be right since intrazone default allow doesn’t cover interzone tunnel traffic. And A is wrong because separate rules aren’t optional here.
It’s C and D for sure. You can’t skip making separate rules for incoming and outgoing traffic when dealing with tunnels—that’s basic firewall setup. Also, the interzone default deny policy means IPSec and IKE packets won’t pass unless explicitly allowed, so you have to configure those rules. Option A is off because separate rules aren’t optional for tunnel traffic, and B is wrong since the intrazone default allow doesn’t cover interzone IKE/IPSec packets. So definitely C and D.
C and D—both directions need rules, and interzone traffic is denied by default.
Option C makes sense because you usually need explicit rules for both directions. Option D fits since interzone traffic is denied by default and you have to allow IKE/IPSec packets manually.
Maybe A and D since default deny kicks in interzone and separate rules might not be mandatory.
It’s C because you have to handle traffic both ways explicitly, and D since default denies apply between zones.
It’s C and D here because you need explicit rules for both directions, and default interzone deny blocks IKE/IPSec unless allowed. The intrazone default allow doesn’t cover those IPSec packets automatically.
It’s B and D for me, but does this depend on the firewall’s default policy settings or the PAN-OS version? Just want to be sure if those defaults always apply.