A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator. None of the peer addresses are known. What can the administrator configure to establish the VPN connection?
A is correct given the question mentions that local end doesnt know about any addresses (IP or FQDN) at the remote end. Enable Passive mode is an optional setting which forces the gateway to only respond and not initiate, even if it is not configured on the local end and the understanding is that the remote end will always initiate the connection as otherwise the VPN will not establish anyways since the local gateway doesnt know the IP or FQDN of the remote gateway to initiate the connection, the most appropriate choice here is A.
This question seems to have had its answers rearranged, since some of the explanations below discuss different letters than what is assigned. Both A and B are correct IMHO, but my first choice would be "Dynamic IP" since the tunnel wouldn't work w/o it, and second choice would be "passive mode" because without that you'd get error messages generated in the logs when the local side tried to initiate the tunnel to an IP it doesn't know.
In my opinion both A and B are correct.
From the question description, they mention that peer device will act as an initiator and that on the peer device none of the addresses are known. Then question ask what needs to be configured... Since they say peer device (on the other end) is initiator and none address on it is known, that they ask about configuration that needs to be set on local device (which must NOT initiate VPN connection since it doesn't know remote peer's addresses). Therefore, on local device, we need to set peer IP type to dynamic and check the enable passive mode.
From the Help Menü in WebUI od a PanOS 10.2:
"Select one of the following settings and enter the corresponding information for the peer:
•
Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation."
and
"Enable Passive Mode
Click to have the firewall only respond to IKE connections and never initiate them."
I think the "never initiates IKE connection" is the crucial point.
Would go for A
The answer is B.
When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection.
The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.
Therefore, the correct answer is B.
"using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address" -- No, on the local firewall, when you select "dynamic", there is no field to enter the ip address of the peer, that's the whole point. The local fw allows the peer to connect from any IP. BTW I prefer this as the answer. But it's also true that we would select "passive mode" on the local fw since it can't initiate the connection. BTW, this question seems to have had its answer letters rearranged since some of these comments.
A according to this link
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
Note: Since Firewall B has the dynamic IP address, it needs to be the initiator for the VPN tunnel each time. Hence, do not select "Enable Passive Mode."
But for the MAIN firewall, "Note: Since this is the static peer and does not know the IP address of the dynamic end, it would not be able to initiate the VPN. Hence, we selected the option "Enable Passive Mode.""
A & B are both correct:
Since the other end is initiating, you need to set passive mode on the local fw, and you also need to set dynamic for the peer-IP-type.
The question did not state which FW (Local or Remote) they are referring to.
For local ike settings (enable passive mode)
For Remote (assuming using DHCP) ike settings (no passive mode)
i would assume they are asking for local FW ike config which should enable passive mode
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Marshpillowz
9 months agoJRKhan
9 months, 3 weeks agohomersimpson
10 months, 3 weeks agoAndromeda1800
10 months, 3 weeks agodorf05
11 months, 3 weeks agoArtbrut
1 year, 1 month agoWaheedeladawy
1 year, 3 months agohomersimpson
10 months, 3 weeks agoMrR0bot
1 year, 9 months agoPaloSteve
1 year, 3 months agoPaloSteve
1 year, 3 months agodjedeen
1 year, 9 months agojam1234
1 year, 9 months agojam1234
1 year, 9 months agoconfusion
2 years agoTAKUM1y
2 years ago