Palo Alto Networks Certified Strata Field Engineer (PCSFE) — Question 48

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.
How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

Answer options

• A. Edit the IP address of all of the affected VMs.
• B. Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.
• C. Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).
• D. Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.

Correct answer: B

Explanation

The correct answer is B because creating a new virtual switch and using the VM-Series firewall allows for the segmentation of network traffic without altering the existing IP addresses or default gateways. Option A is incorrect as it suggests changing IP addresses, which is not permissible. Option C does not provide the necessary segmentation required for the added security. Option D involves hardware changes and does not address the requirement of keeping IP addresses unchanged.