Palo Alto Networks NGFW Engineer — Question 78

An administrator is troubleshooting a newly configured site-to-site VPN between a PAN-OS firewall and a third-party policy-based VPN gateway. The tunnel allows traffic between the first pair of configured subnets, but traffic to a newly added remote subnet is failing. The administrator has confirmed that routing and Security policies are correct.

What is the most likely cause of this issue?

Answer options

• A. A static route for the new subnet pointing to the tunnel interface is missing.
• B. The Security policy for the new subnet must be placed above the existing VPN policy.
• C. The new local and remote subnets are missing from the Proxy ID configuration.
• D. The tunnel's maximum transmission unit (MTU) size must be increased to accommodate the new traffic.

Correct answer: C

Explanation

The correct answer is C because the Proxy ID configuration must include both the new local and remote subnets for the VPN tunnel to recognize and allow traffic between them. Answer A is incorrect as the existing routing may already direct traffic properly, while answer B is irrelevant because Security policies do not dictate the Proxy ID settings. Answer D is also incorrect, as MTU size adjustments are not typically related to specific subnet configurations.