Exam PCNSE topic 1 question 113 discussion

Correct: B The question says that the firewall was installed on a "trunk" link between to core switches. This mean Layer-3 is not usable in this situation. "Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic. You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet." https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html

correct answer is B Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic. You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

B is correct

Question is asking about traffic between two core switches... and this suggests VWire. In addition the requirement is for each VLAN to have it's own zone.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/virtual-wire-interfaces/virtual-wire-subinterfaces

answer is D

correct answer is B

Answer: B (https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html)

Bad question!

It's option B and anyone who says otherwise has probably never configured on of these firewalls. Insertion into a trunk needs vWire. C and D are plain rubbish and A does not allow individual zones. I actually set this up 7 years ago so no need to guess.

Answer is "B", "C" doesn't seem to be correct because 2 layers 3 interfaces in the firewall will force you to change the g/w for all endpoints to be the FW instead of the core switch, moreover "Do not assign any interface an IP address" is another obstacle, then how will you route the traffic from the ingress port to the egress one !!

Correct answer is C

Best Answer = B Based on PAN Documentation on Virtual Wire Subinterfaces: Virtual wire deployments can use virtual wire subinterfaces to separate traffic into zones. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/virtual-wire-subinterfaces.html C is L3 subinterfaces that will require an IP address to pass traffic

c can't be correct layer 3 always needs an IP

The correct is D, C is layer 3.

Ans is D. A. Define a range of "0-4096" will allow all VLAN pass through the vWire but can not separate zones. B. Can not assign VLAN ID to the "Tag Allowed" of V-Wire subinterfaces C. Layer 3 subinterfaces can not link between two physical interface unless use vWire subinterfaces or Layer 2 subinterfaces

C is correct.