An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface.
What are three supported functions on the VWire interface? (Choose three.)
The Palo Alto Networks virtual wire (VWire) interface supports SSL Decryption, QoS, and NAT functions. You wouldn't use a virtual wire for IPSec because it does not support protocols that require Layer 2 or Layer 3 addresses. Similarly, OSPF, being a routing protocol, is also not supported since VWire interfaces do not participate in routing functions.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces
The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/virtual-wire-interfaces
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/virtual-wire-interfaces "The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT."
The virtual wire supports the blocking or allowing of traffic based on the virtual LAN (VLAN) tags. The virtual wire also supports Security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active high availability (HA), QoS, zone protection (with some exceptions), non-IP protocol protection, denial of service (DoS) protection, packet buffer protection, tunnel content inspection,and NAT.
CDE A is incorrect because: You wouldn’t use a virtual wire deployment for interfaces that need to support switching, VPN tunnels, or routing because they require a Layer 2 or Layer 3 address.
CDE is correct. Vwire interfaces cannot be used as IPsec termination points.
CDE are the correcto options
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces
no switching or routing for Vwire
CDE are correct
I guess easiest approach for this is discard anything that needs an IP (or MAC) as Vwire interfaces do not support IP or MAC
It is CDE.
CDE. The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, "DECRYPTION", LLDP, active/passive and active/active HA, "QOS", zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and "NAT".
You wouldn’t use a virtual wire deployment for interfaces that need to support switching, VPN tunnels, or routing because they require a Layer 2 or Layer 3 address. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/virtual-wire-interfaces
Options: B/D/E - The virtual wire allows the firewall to maintain a transparent presence acting as a pass-through link, while still providing security, NAT, and QoS services. - In order for routing (Layer 3) control packets to pass through a virtual wire, you must apply a security policy rule that allows the traffic to pass through. For example, apply a security policy rule that allows an application such as BGP or OSPF. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/layer-2-and-layer-3-packets-over-a-virtual-wire#id176TE0F0UDU_id176TE000DXC
CDE links from nose999, TAKUM1y and al12345 point that clearly