Palo Alto Networks NGFW Engineer — Question 74

A network administrator is establishing a site-to-site VPN between a Palo Alto Networks firewall and a partner's Check Point Security Gateway. The partner has provided a specific list of local and remote IP address subnets that are permitted through the tunnel. The initial tunnel configuration on the PAN-OS firewall fails during the IKE Phase 2 exchange.

Which configuration step is essential to ensure compatibility with the policy-based Check Point gateway?

Answer options

• A. Define the local and remote subnets provided by the partner in the Proxy ID settings.
• B. Create individual Security policies for each pair of local and remote subnets.
• C. Assign a specific IP address to the tunnel interface to match the Check Point gateway.
• D. Enable Dead Peer Detection (DPD) in the IKE Gateway configuration.

Correct answer: A

Explanation

The correct answer is A because defining the local and remote subnets in the Proxy ID settings is critical for the VPN to recognize which traffic is permitted through the tunnel. Options B, C, and D do not address the specific compatibility requirements for the IKE Phase 2 exchange with a policy-based Check Point gateway.