Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 358

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Answer options

• A. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
• B. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
• C. Multiple vsys and firewalls can be assigned to a device group. and a multi-vsys firewall must have all its vsys in a single device group.
• D. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

Correct answer: B

Explanation

The correct answer is B because it accurately states that multiple vsys and firewalls can be associated with a device group, while allowing each vsys of a multi-vsys firewall to be placed in different groups. The other options incorrectly limit the assignment of vsys and firewalls to device groups, misrepresenting the flexibility of multi-vsys firewalls.