Palo Alto Networks NGFW Engineer — Question 52

A network security engineer is segmenting a single firewall into VSYS-A and VSYS-B. For traffic to flow from VSYS-A to VSYS-B, external zones are required.

What are two fundamental properties of the external zones needed for this configuration? (Choose two.)

Answer options

• A. They must be linked to the same virtual router as the ingress interface.
• B. They represent their parent VSYS without being tied to a physical or logical interface.
• C. They are a security construct belonging to a single VSYS.
• D. They are automatically created when inter-VSYS routing is enabled.

Correct answer: B, C

Explanation

Option B is correct because external zones represent their parent VSYS without needing a physical or logical interface, which is essential for inter-VSYS communication. Option C is also correct as external zones are indeed a security construct that is specific to a single VSYS. Options A and D are incorrect; A is not required for external zones, and D is misleading since external zones are not automatically created just by enabling routing.