Review the screenshots and consider the following information:
• FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG
• There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups
Which IP address will be pushed to the firewalls inside Address Object Server-1?
Server-1 on FW-1 will have IP 3.3.3.3 because FW-1 is assigned to the FW-1_DG device group which contains the address object for 3.3.3.3. Server-1 on FW-2 will inherit the address from the Shared device group since its assigned device group, OFFICE_FW_DG, does not have any objects configured, making its IP 1.1.1.1.
The answer is only one - D. FW-1 will get the value from FW-DG1 while FW-2 will get the value from the Shared DG since no values are present in its parent DGs. https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-precedence-of-inherited-objects
This question appeared on PCNSE January 2023
Device Groups take affect in reverse order. So if there are competing setting, the lowest Device Group in the hierarchy takes precedence. FW2 is not in the same hierarchy so inherets the Server 1 setting from the Shared Deviced Group.
D only as chrisy042 has explained!
D is correct
Agreed with chrisy0402, the FW-2 DGs are there to confuse you
Updated link July 2023- https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/manage-device-groups/manage-precedence-of-inherited-objects