Palo Alto Networks firewalls enforce security policies based on traffic moving between security zones. For an IPSec tunnel, two distinct types of traffic must be considered: the control plane traffic (IKE, ESP) that builds the tunnel, and the data plane traffic that passes through it.

The data plane traffic, which is the user data being protected, typically travels between an internal zone (e.g., trust) and the zone containing the tunnel interface (e.g., a dedicated vpn zone or the untrust zone). Because this traffic crosses zones, it is subject to the interzone-default security rule, which has a default action of deny. Therefore, explicit security rules must be created to allow this traffic. To permit sessions to be initiated from both sides of the tunnel, separate, directional rules are required.

A. A single security rule is directional and only allows traffic initiation from the specified source zone to the destination zone. A second rule is required for return-initiated traffic.

B. The firewall's control plane implicitly allows IKE and ESP packets destined for the firewall itself to establish the tunnel; they are not processed against the intrazone-default allow policy for this purpose.

1. Palo Alto Networks PAN-OS® Administrator's Guide 10.2

"Security Policy

" Page 1031. The guide describes the two default security rules: intrazone-default (allow) and interzone-default (deny). This supports the principle that traffic between zones

such as from a trust zone to a vpn zone

is denied by default

which is the concept behind option D.

2. Palo Alto Networks PAN-OS® Administrator's Guide 10.2

"Define Security Policy for the IPSec Tunnel

" Page 588. This section explicitly states

"To allow traffic to flow through the VPN tunnel

you must configure a security policy rule." The examples provided consistently show separate rules for allowing traffic in each direction (e.g.

from LAN to VPN

and from VPN to LAN)

which directly supports option C.

3. Palo Alto Networks PAN-OS® Administrator's Guide 10.2

"How Does the Firewall Process IPSec Packets?

" Page 554. This section clarifies

"The firewall allows IKE and IPSec traffic to and from the interfaces that are configured as IPSec tunnel endpoints; you do not need to create Security policy rules to allow this traffic." This directly refutes the premise of option B.