Free Palo Alto Networks NGFW-Engineer Actual Exam Questions - Question 4 Discussion
(VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the
firewall (no external physical connections). The interfaces for each VSYS are assigned to separate
virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been
created correctly for each VSYS. Security policies have been added to permit the desired traffic
between each zone and its respective external zone. However, the desired traffic is still unable to
successfully pass from one VSYS to the other in either direction.
Which additional configuration task is required to resolve this issue?
B/C? Even with routes and policies, if the VSYS aren’t visible to each other (B), that could block the traffic. But the “allow inter-VSYS traffic” option (C) is often a must-have for zones to talk internally without leaving the firewall.
C/D? The question says security policies already exist between each zone and its external zone, so adding more policies between external zones (D) might be redundant. The key might be the “allow inter-VSYS traffic” setting inside those external zone configs (C), which controls whether zones in different VSYS can communicate. Without enabling that, traffic won't traverse between VSYS even if routes and policies look right. So I’d say enabling that option is the missing step here.
B imo, without making the VSYS visible to each other, they can’t properly exchange traffic even if routes and policies are set. That visibility is key for inter-VSYS communication.
Looks like B is the missing piece here. If each VSYS doesn’t see the other in its visible VSYS list, even with routes and policies in place, traffic won’t flow between them properly. Adding each VSYS to the other's visible list should fix that visibility issue and get the traffic moving.
C/D? The “allow inter-VSYS traffic” option often trips people up here, but if policies already exist between zones and their external zones, missing direct policies (D) might be the real blocker.
Option C, the inter-VSYS traffic flag often blocks cross-zone flows even if routes and policies exist.
D imo, since they already have policies between each zone and its external zone, maybe they forgot to add policies directly between the two external zones to actually allow traffic across.
This one feels like it’s about bridging the VSYS gap, so I’m thinking option C. Even if routes and policies seem okay, without enabling "allow inter-VSYS traffic" in the external zones, the firewall won’t let traffic pass between VSYS internally. That setting basically tells the firewall it’s okay for traffic to flow across virtual systems in those zones. So yeah, C makes sense here.
B, because without visibility, policies won’t apply across VSYS boundaries.
B tbh, shouldn’t we first confirm if the VSYS visibility settings are correctly configured? The question says external zones and policies are set, but it might miss that each VSYS needs to explicitly see the other to allow traffic. Without that, even with routes and policies, traffic could be blocked internally. Anyone else think the key detail is about VSYS visibility lists?