PSE software firewall associate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PSE software firewall associate

L0 Member

Dear all, 

I need your help to find my exam question, I am really confussed some question about PSE software firewall associate. Please help me to find right answer. 

1. What is the preferred way to analyze traffic logs generated from multiple data center firewalls?

a)Use Palo Alto Networks Prisma Access console to view all firewall logs.

b)Log in to one of the firewalls in order to request the log of the other firewalls.

c)Log in to each firewall and generate the log in a PDF format before analyzing it.

d)Use Panorama for aggregated logging with central oversight for analysis and

2.Which VM-Series deployment model within vSphere allows for firewall insertion into an existing network and will also require additional VLANs for each tenant or application boundary?

  • Layer 2
  • Layer 3
  • Layer 7
  • Virtual wire (vwire)

3.What type of firewalls are used in the data center as segmentation gateways to provide visibility into data center traffic?

  • Segment and secure non-virtualized servers with physical firewalls and the virtual network with VM-Series firewalls.
  • Physical firewalls should be used for all data center traffic.
  • Data centers are mostly virtualized and only VM-Series firewalls need to be used.
  • Segment users with Prisma access.

Thank you

1 REPLY 1

Hi @Tugsbold ,

Here is my humble opinion and I happy to hear if anyone have different thoughts.

 

Question 1: Here the answer should definitely be D) User Panorama. Main purpose of Panorama is to provide centralized management and log storage when you have multiple firewall deployment. B) is completely wrong - you cannot request to review logs from other devices when connected to one of them. Only Panorama can do that. C) is possible but definitely not a preferable way to analyse/review logs from multiple location - purpose of PDF file is to be portable (easily opened on different platforms) and it will be unreasonably hard to filter, search, merge or aggregate logs from multiple files. A) I don't have real experience with Prisma Access, so I am not sure what "Prisma Access console" is referring to. But the question is asking for "data center firewalls", which I don't believe can be managed by Prisma Access - You can have Panorama which you can use to manage your on-prem firewall and your SASE, which is different from what this answer is describing

 

Question 2: C) completely wrong answer, there is no Layer7 mode. B) Deploying PAN FW with layer3 interface require different subnet to be assigned to each interface. So you cannot use the existing network and putting the firewall will require creating new subnets. D) Is possible solution, because virtual-wire act as "bump in the wire". Which means that FW is transparent for the rest of the network - you don't have to create new or change existing networks (just cut the cable in half and put a firewall in between). However virtual-wire does not require creation of VLANs. You  can create subinterface and assign different zone for each VLAN, but this is optional. Which leave us with A). When FW interfaces are in Layer2 mode, FW act as a switch - it is using MAC addresses to forward frames, which means you can put FW without changing the existing network. In addition Layer2 mode allow you to separate traffic in VLANs - Layer 2 Interfaces (paloaltonetworks.com)

 

Question 3: For me the correct answer here is A). Let use the elimination method again - D) is totally wrong. The question is asking for segmenting traffic in a data center, no place for user edge access. C) Not true, although virtualization is quite common in the last decade and "everybody is going to the cloud", there are lots of physical data center, which require powerful network infrastructure for which physical network devices are still proffered. B) It could be, but not the best solution for all cases. If you have two VMs on the same hypervisor host that needs to communicate and you want to inspect/restrict this traffic with firewall. It doesn't make sense to route the traffic from the host to a firewall and route it back to the same host. It make more sense if you put virtual firewall which can inspect that traffic without the need to move it in and out of the host. Which also explain why A) should be preferable answer.

  • 2359 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!