Palo Alto Networks NGFW Engineer — Question 60

An organization must secure its AWS and Azure environments using a managed Palo Alto Networks solution, and all policies must be synchronized from an existing Panorama deployment. The organization wants to insert security with the least possible impact on its application teams and use existing hub-and-spoke network designs.

• The AWS environment uses a centralized AWS Transit Gateway (TGW) architecture.
• The Azure environment uses a Virtual WAN (vWAN) hub.

Which two actions are the most appropriate in this use case? (Choose two.)

Answer options

• A. Deploy Cloud NGFW endpoints in every application virtual private cloud (VPC), ignoring the TGW.
• B. Deploy Cloud NGFW into the vWAN hub as a trusted security partner, and update routing policies to secure traffic.
• C. Deploy individual VM-Series firewalls in each spoke virtual network (VNet) and manage them as a device group in Panorama.
• D. Deploy Cloud NGFW endpoints into a security virtual private cloud (VPC), and adjust the TGW route tables to inspect traffic flowing though the hub.

Correct answer: B, D

Explanation

Option B is correct because deploying Cloud NGFW into the vWAN hub aligns with the centralized security approach and allows for effective traffic management. Option D is also correct as it ensures traffic passing through the TGW is inspected, maintaining security without disrupting existing routing. Options A and C are less suitable as they either ignore the established infrastructure or complicate management and visibility across the network.