Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 609

A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take?

Answer options

• A. Configure the TAP interface for segment X on the firewall
• B. Configure a Layer 3 interface for segment X on the firewall.
• C. Configure vwire interfaces for segment X on the firewall.
• D. Configure a new vsys for segment X on the firewall.

Correct answer: C

Explanation

The correct answer is C because configuring vwire interfaces allows for transparent traffic inspection without altering the existing IP structure, which meets the admin's requirements for minimal service interruption and no IP changes. Options A and B would not provide the necessary visibility and control in this scenario, while option D involves more complexity and isn't necessary for the stated goal.