Palo Alto Networks NGFW Engineer — Question 56

A network architect is planning the deployment of a new IPSec VPN tunnel to connect a local data center to a cloud environment. The plan must include all necessary Security policy configurations for both tunnel negotiation and data transit.

Which two Security policy requirements must be included in the implementation plan? (Choose two.)

Answer options

• A. A policy must explicitly permit the IPSec container application between the external-facing zone and local zone.
• B. A policy must explicitly permit only the IKE application between the external-facing zone and local zone.
• C. A pair of policies is required to control the flow of data traffic into and out of the security zone assigned to the tunnel interface.
• D. The default interzone-default security policy is sufficient to allow the tunnel negotiation traffic between the firewall and the remote peer.

Correct answer: B, C

Explanation

The correct answer includes B and C because B ensures that only the IKE application is permitted for secure tunnel negotiation, while C confirms that policies are in place to manage data traffic flow for the tunnel interface. Options A and D do not meet the necessary security policy requirements for this setup, as they either lack specificity or rely on default settings that may not be sufficient.