The following objects and policies are defined in a device group hierarchy.
Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group
NYC-DC has NYC-FW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
Dallas-FW will receive address objects Shared Address1, Shared Address2, and Branch Address1, as well as policies Shared Policy1 and Branch Policy1. With the 'Share Unused Address and Service Objects' option enabled in Panorama, unused address objects are shared, but policies targeted to specific devices not matching Dallas-FW are not pushed to it. Shared Policy2 targets NYC-FW specifically, so it will not be pushed to Dallas-FW.
Panorama will not push anything from Data-Centers group. That rules out C. Panorama will push all objects from "Shared", which rules out A. Note that the target of "Shared Policy 2" is NYC-FW, so this policy won't get pushed to Dallas-FW. This rules out B. Thus, answer is D.
D is correct.
I agree with Micutzu. I built this out in my lab. Dallas will not recieve anything from the DataCenter Group. Only from the the shared and the Branch group. D is Correct.
There's no "Branch Policy1" by the way...
Hard to freaking read, but yes answer is really D.
C is correct. It will receive everything under the Share.
No, it will not receive Shared Policy 2 because that policy has a specific target of NYC.
Question askes about Dallas-FW, so every answer with "Shared Policy2" is discarded since it is related to NYC-FW A is discarded because it does not have both address objects D is the correct answer
D is correct
When you push configuration changes Device Groups, by default Panorama pushes all shared objects to firewalls whether or not any shared or device group policy rules reference the objects. However, you can configure Panorama to push only the shared objects that rules reference in the device groups. The Share Unused Address and Service Objects with Devices option enables you to limit the objects that Panorama pushes to the managed firewalls. If "Share Unused Address and Service Objects with Device" is disabled/unchecked, Panorama evaluates unused objects while pushing configuration to the device. However this feature ignores the "target device" in security rules while evaluating unused objects.
When you push configuration changes Device Groups, by default Panorama pushes all shared objects to firewalls whether or not any shared or device group policy rules reference the objects. However, you can configure Panorama to push only the shared objects that rules reference in the device groups. The Share Unused Address and Service Objects with Devices option enables you to limit the objects that Panorama pushes to the managed firewalls. If "Share Unused Address and Service Objects with Device" is disabled/unchecked, Panorama evaluates unused objects while pushing configuration to the device. However this feature ignores the "target device" in security rules while evaluating unused objects.
Answer is "D" but I had to re-read the meaning of the "share unused address and service objects with devices" phrase because it is entirely COUNTER PRODUCTIVE to what it actually does. By default Panorama will share ALL objects whether or not they are used by members of the device group. Ticking the option above DISABLES that function forcing Panorama to only send objects that are used by the members of service groups. I swear a lot of PAN articles need proper grammar checks as they confuse learners. Even the aforementioned phrase should be changed to something like: "DISABLE sharing unused address and service objects with devices" See how much more clear that option now is? I think I will contact PAN customer support to factor this change. PAN tech is complicated enough, we don't need overly complicated grammar to make it even worse to understand!!!!!
D. Because everything will be shared except for the shared policy 2, because it is targeting to share only with NYC-FW.
None of the above as the shared policy 1 has a typo in the target fw name (yes I know none of the above isn't an option)
"Shared Policy 2" has set Target Device as NYC-FW, so Dallas-FW will never get it. (so B and C are not applicable) Dallas-FW should also get both Shared Addresses 1 and 2 (So A is not applicable)
D is correct.
Definitely D
A is correct..
D is correct. I agree with Micutzu. I built this out in my lab. Dallas will not recieve anything from the DataCenter Group. Only from the the shared and the Branch group. D is Correct.