Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 309

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections.

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Answer options

• A. Stream ID in the IP Option Drop options
• B. Record Route in IP Option Drop options
• C. Ethernet SGT Protection
• D. TCP Fast Open in the Strip TCP options

Correct answer: C

Explanation

The correct answer is C, Ethernet SGT Protection, as it specifically addresses the identification and handling of TrustSec packets. Options A and B relate to IP option drops that do not pertain to Layer 2 protections or TrustSec. Option D is irrelevant as it concerns TCP operations and does not impact TrustSec packet processing.