Exam PCNSE All QuestionsBrowse all questions from this exam
Question 378

A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.

There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.

What is the best option for the administrator to take?

    Correct Answer: C

    To achieve visibility on segment X while also planning to apply security rules later, configuring vwire interfaces on the firewall is the best option. Vwire mode allows for the inspection and enforcement of security policies without requiring any changes to the IP configurations. It also minimizes service interruptions since the traffic will simply pass through the firewall, maintaining the existing network routing and structure. This makes it the ideal choice for the administrator's requirements.

Discussion
scallyOption: C

The correct answer is C. As it specifically states in the question that security rules will be applied, VWire is the only method that allows this without making any IP address changes.

TheIronSheik

"security rules will be applied AFTER visibility". The word "after" makes me wonder.

nose999Option: C

Maybe C as security rules will also be applied later

dorf05Option: C

Key word== The administrator is planning to apply Security rules on segment X after getting the visibility..... and you cannot apply security rules on segment X using a TAP mode.

dgonzOption: A

A - Tap admin just wants to have traffic visibility.

Pacheco

Nope. They also want to apply sec policies to it. "The administrator is planning to apply Security rules on segment X after getting the visibility"

34f7d3aOption: A

the answer is A - A firewall administrator wants to have visibility on one segment of the company network. Guys why don’t you read with understanding?

Pacheco

You should really take your own advice. It clearly says "The administrator is planning to apply Security rules on segment X after getting the visibility". Traffic from tap interfaces is not subject to policy enforcement, you just get a copy of it and that's it.

franko_72

In the exam, July 2023.

piipoOption: C

apply Security rules

sov4Option: C

Gotta be C. The traffic isnt on the firewall yet and so a tap wont help. Only a virtual-wire will allow for visibility, security policy, no IP changes, and low down-time.

0d2fdfaOption: A

security rules will be applied but this is only to monitor the traffic. The least intrusive way is TAP mode.

scanossaOption: C

It needs to apply security policies which TAP can not to so it's C.

MarshpillowzOption: C

I think C

MetgatzOption: C

C - The administrator is planning to apply Security rules on segment X after getting the visibility.

electro165Option: A

TAP Interface: A TAP interface allows you to monitor network traffic without disrupting the existing traffic flow. It operates in a passive mode, where it copies traffic for analysis without impacting the original traffic. This means you can gain visibility into segment X without changing the routing or IP configurations. Minimum Service Interruptions: Since the TAP interface is passive and does not actively participate in routing or affecting traffic, it minimizes service interruptions. It won't introduce any routing changes or disruptions to segment X. No IP Changes: The administrator wants to avoid making IP changes, and configuring a TAP interface allows you to do just that. It won't require any IP address changes or reconfiguration of the existing network.

Pacheco

Nope. They also want to apply sec policies to it. "The administrator is planning to apply Security rules on segment X after getting the visibility"

ChiaPet75Option: C

I'm on the "C" team. At first I thought the Admin could just "TAP" the backbone switch for visibility, but since the goal is to apply Security rules on the segment that is being monitored, vWire makes the most sense.

ruben_castro81Option: A

The key word is "after". This question mention: "The administrator is planning to apply Security rules on segment X AFTER getting the visibility"... I think that TAP is the best option

ruben_castro81Option: A

The key word is "after". This question mention: "The administrator is planning to apply Security rules on segment X AFTER getting the visibility"... I think that TAP is the best option

DLRGOption: C

I think: C: Keep in mind, however, because the traffic is not running through the firewall when in tap mode it cannot take any action on the traffic, such as blocking traffic with threats or applying QoS traffic control.