Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 313

An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled.

How can the engineer remediate this issue?

Answer options

• A. Add a Security policy to allow UDP/500.
• B. Add a Security policy to allow the IKE application.
• C. Add a Security policy to allow the IPSec application.
• D. Add a Security policy to allow UDP/4501.

Correct answer: C

Explanation

The correct answer is C because allowing the IPSec application is essential for the secure transmission of data across the VPN, especially since both peers are behind NAT. Options A and D only address specific ports that may not cover all necessary traffic, and option B alone does not ensure that the IPSec traffic is properly handled.