Q: 4
Which two statements apply to configuring required security rules when setting up an IPSec tunnel
between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)
Options
Discussion
If the tunnel interfaces were set up in the same security zone, would option B suddenly apply since intrazone default policies allow a lot by default? That might flip which rules are actually required.
C D tbh, similar questions show up in official practice and docs. Check both for tunnel/interzone rule behavior.
C D tbh. You need specific rules for each direction and IKE/ESP gets blocked by interzone default deny. B sounds right at first but that's just intrazone, not interzone.
Do you think the question is talking about both tunnel setup traffic and user data through the tunnel? Kinda reads like you need to create rules for both directions and also account for interzone default deny blocking IKE/ESP. Am I missing something?
Its C and D, not B. Many miss that interzone default deny blocks tunnel setup traffic so explicit rules are a must.
Its C and D. Palo Alto needs explicit rules both ways and interzone default deny blocks IKE/ESP unless you allow them.
C and D here. You need explicit rules for both traffic directions and the default deny hits the IKE/ESP unless allowed, since they're interzone. Pretty sure about this but open if someone got a different lab result.
Option C and D
C/D? I remember similar wording in the official guide. You need two-way rules since Palo Alto firewalls don't auto-allow traffic both directions through a tunnel and interzone default denies IKE/ESP until you explicitly allow. Definitely saw this called out on some practice tests too. Correct me if I'm missing something.
Not quite B, it's C and D. A lot of folks pick B because they assume intrazone default allows IKE/ESP, but that's not the case here since it's interzone traffic. Happened on a similar question before.
Be respectful. No spam.
