ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam NGFW-Engineer All Questions

View all questions & answers for the NGFW-Engineer exam
Go to Exam

Exam NGFW-Engineer topic 1 question 3 discussion

Actual exam question from Palo Alto Networks's NGFW-Engineer
Question #: 3
Topic #: 1
[All NGFW-Engineer Questions]

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)

  • A. For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.
  • B. The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.
  • C. For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.
  • D. The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
by Kick86 at May 18, 2025, 5:35 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fosi130
5 days, 13 hours ago
Selected Answer: CD
it is CD
upvoted 1 times
...
1318f4b
6 days, 10 hours ago
Selected Answer: AB
A: You don't have to have a separate rule for each direction of traffic, you could put all the zones in both sides of the rule, it is a best practice to separate the rules by direction but it is not required. B: IKE and IPSEC will happen Untrust to Untrust so they will be allowed by the intrazone rule.
upvoted 1 times
...
mirko1976
3 weeks, 4 days ago
Selected Answer: CD
Separate Rules Must Be Created On Palo Alto Networks firewalls, security policies are unidirectional. This means that for bi-directional communication through an IPSec VPN, you need to create two separate security rules: one for traffic entering the tunnel and another for traffic exiting the tunnel. This ensures traffic in both directions is explicitly permitted. D. IKE and IPSec Packets Are Denied by Default IKE negotiation (UDP 500/4500) and IPSec ESP (protocol 50) traffic does not match existing policies by default. If the tunnel interface connects different zones (e.g., “untrust” to “vpn”), and there are no explicit rules, the traffic will hit the interzone-default-deny policy and be blocked. Therefore, you must create a rule to explicitly allow IKE and IPSec traffic if needed..
upvoted 1 times
...
Kick86
4 weeks ago
Selected Answer: BD
B and D Correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel