A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?
To differentiate multiple VLANs into separate zones on a NGFW firewall between two core switches on a VLAN trunk link, create V-Wire objects with two V-Wire subinterfaces and assign a single VLAN ID to the 'Tag Allowed' field of each V-Wire object. Repeat this process for each additional VLAN, using VLAN ID 0 for untagged traffic. Each interface or subinterface must be assigned to a unique zone.
Correct: B The question says that the firewall was installed on a "trunk" link between to core switches. This mean Layer-3 is not usable in this situation. "Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic. You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet." https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html
correct answer is B Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic. You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.
Best Answer = B Based on PAN Documentation on Virtual Wire Subinterfaces: Virtual wire deployments can use virtual wire subinterfaces to separate traffic into zones. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/virtual-wire-subinterfaces.html C is L3 subinterfaces that will require an IP address to pass traffic
Question is asking about traffic between two core switches... and this suggests VWire. In addition the requirement is for each VLAN to have it's own zone.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/virtual-wire-interfaces/virtual-wire-subinterfaces
correct answer is B
Answer: B (https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html)
Bad question!
It's option B and anyone who says otherwise has probably never configured on of these firewalls. Insertion into a trunk needs vWire. C and D are plain rubbish and A does not allow individual zones. I actually set this up 7 years ago so no need to guess.
Answer is "B", "C" doesn't seem to be correct because 2 layers 3 interfaces in the firewall will force you to change the g/w for all endpoints to be the FW instead of the core switch, moreover "Do not assign any interface an IP address" is another obstacle, then how will you route the traffic from the ingress port to the egress one !!
The correct is D, C is layer 3.
B is correct
answer is D
Correct answer is C
Explain why?
c can't be correct layer 3 always needs an IP
Ans is D. A. Define a range of "0-4096" will allow all VLAN pass through the vWire but can not separate zones. B. Can not assign VLAN ID to the "Tag Allowed" of V-Wire subinterfaces C. Layer 3 subinterfaces can not link between two physical interface unless use vWire subinterfaces or Layer 2 subinterfaces
C is correct.