View all questions & answers for the Palo Alto Next-Generation Firewall Engineer Exam Materials exam


Palo Alto Next-Generation Firewall Engineer Exam Materials-Question 11 Discussion
Comment Image Comment Image Comment Image

Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two answers)

  • A. For incoming and outgoing traffic through the tunnel, creating separate rules for each direction is optional.
  • B. The IKE negotiation and IPSec/ESP packets are allowed by default via the intrazone default allow policy.
  • C. For incoming and outgoing traffic through the tunnel, separate rules must be created for each direction.
  • D. The IKE negotiation and IPSec/ESP packets are denied by default via the interzone default deny policy.
Correct Answer: C,D

Brave-Dump Clients Votes

AB 66.67%
CD 33.33%

Comments



Ayesha 2026-01-27 15:22:04

Selected Answers: A, B


Why C and D are Incorrect (The "Trap" Answers)
Refuting Option C ("Separate rules MUST be created"):

The Trap: Many people think you must have one rule for Trust -> VPN and another for VPN -> Trust.

The Reality: PAN-OS allows Universal rules. You can create a single security policy where the Source Zone is [Trust, VPN] and the Destination Zone is [Trust, VPN]. This one rule allows traffic in both directions.

Conclusion: Because a single rule can work, creating separate rules is Optional, not "Must." (Making Option A the winner).

Refuting Option D ("IKE... denied by default via interzone"):

The Trap: This assumes the IKE negotiation happens between different zones.

The Reality: IKE (UDP 500/4500) occurs between the External Interfaces of the firewalls.

Your External Interface = Untrust Zone.

Peer's External IP = Untrust Zone (from your firewall's perspective).

The Logic: Traffic from Untrust to Untrust is Intrazone traffic.

Default Behavior: The default action for Intrazone traffic on Palo Alto firewalls is Allow.

Conclusion: IKE is allowed by default because it is Intrazone, not Interzone. (Making Option B the winner).

Ayesha 2026-01-27 15:39:35

Selected Answers: A, B


A and B are correct
look here the reference.

check step 7

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

Anonymous User 2026-05-06 20:45:57

Selected Answers: C, D


Reason for `C,D
For IPsec Tunnel and Third Party these will be on different zone , any connection between two zones to be allowed bidirectionally you need two separates rules. and the default policy on any firewall is a deny policy , no traffic is allowed by default unless they on the same interface because even same zone can not communicate on the Palo Alto firewall so C,D wins