Palo Alto Networks NGFW Engineer — Question 16

An NGFW engineer is establishing bidirectional connectivity between the accounting virtual system (VSYS) and the marketing VSYS. The traffic needs to transition between zones without leaving the firewall (no external physical connections). The interfaces for each VSYS are assigned to separate virtual routers (VRs), and inter-VR static routes have been configured. An external zone has been created correctly for each VSYS. Security policies have been added to permit the desired traffic between each zone and its respective external zone. However, the desired traffic is still unable to successfully pass from one VSYS to the other in either direction.
Which additional configuration task is required to resolve this issue?

Answer options

• A. Create a transit VSYS and route all inter-VSYS traffic through it.
• B. Add each VSYS to the list of visible virtual systems of the other VSYS.
• C. Enable the “allow inter-VSYS traffic” option in both external zone configurations.
• D. Create Security policies to allow the traffic between the two external zones.

Correct answer: B

Explanation

The correct answer is B because each VSYS must be added to the visible virtual systems list of the other to allow communication between them. The other options either suggest unnecessary configurations or do not address the visibility aspect that is crucial for inter-VSYS traffic.