PCNSE Exam QuestionsBrowse all questions from this exam
Go to Exam

PCNSE Exam - Question 378

A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.

There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.

What is the best option for the administrator to take?

Show Answer
Correct Answer: C

To achieve visibility on segment X while also planning to apply security rules later, configuring vwire interfaces on the firewall is the best option. Vwire mode allows for the inspection and enforcement of security policies without requiring any changes to the IP configurations. It also minimizes service interruptions since the traffic will simply pass through the firewall, maintaining the existing network routing and structure. This makes it the ideal choice for the administrator's requirements.

Discussion

30 comments
Sign in to comment
scallyOption: C
Sep 11, 2022

The correct answer is C. As it specifically states in the question that security rules will be applied, VWire is the only method that allows this without making any IP address changes.

TheIronSheik
Feb 21, 2023

"security rules will be applied AFTER visibility". The word "after" makes me wonder.

nose999Option: C
Sep 8, 2022

Maybe C as security rules will also be applied later

west33637Option: A
Oct 28, 2022

The answer is A. somethings to note - the question says the admin is looking for visibility, with minimal disruption and no IP changes. The firewall is already in L3 mode and acting as a layer internet gateway. Also to note, the question says that the administrator is looking to add security rules AFTER he has gained some visibility. Tap mode is designed specifically for what this question is asking - see the documentation - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/tap-interfaces

javim
Jan 21, 2023

I totally agree!

Pacheco
Feb 13, 2024

Nope. You can't apply sec policies to traffic from tap interfaces, not now not later.

Pacheco
Feb 13, 2024

Nope. You can't apply sec policies to traffic from tap interfaces, not now not later.

melmokad
Sep 13, 2022

to apply Security rules on segment X >> C

dgonzOption: A
Sep 8, 2023

A - Tap admin just wants to have traffic visibility.

Pacheco
Feb 13, 2024

Nope. They also want to apply sec policies to it. "The administrator is planning to apply Security rules on segment X after getting the visibility"

dorf05Option: C
Nov 18, 2023

Key word== The administrator is planning to apply Security rules on segment X after getting the visibility..... and you cannot apply security rules on segment X using a TAP mode.

DrNick0
Sep 20, 2022

Since they want security policies TAP is not an option. TAP is no touch, only see. vwire can inspect traffic, security policies, vlans ect. C is correct

happyism
Oct 19, 2022

VirtualWire: A virtual wire deployment simplifies firewall installation and configuration because you can insert the firewall into an existing topology without assigning MAC or IP addresses to the interfaces, redesigning the network, or reconfiguring surrounding network devices. The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags. It also supports Security policy rules.

mic_micOption: A
Jan 31, 2023

The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. C is also working, but dus not give minimum service interruptions. The administrator is planning to apply Security rules on segment X after getting the visibility. (then he must switch from TAB to VWIRE) Indeed the question leaves room for speculation https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfaces/tap-interfaces

DenskyDen
Feb 8, 2023

The question states that. "The administrator is planning to apply Security rules on segment X after getting the visibility" so if you are to use TAP then you will not be able to use security policy, but if you use vwire, then you can monitor and apply the policy.

MarbotOption: A
Mar 5, 2023

Tap Interface is enough for Planning stage, administrator can create policy in preparation from TAP traffic. "In addition, when in tap mode, the firewall can also identify threats on your network." Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/tap-interfaces

certprep2021Option: A
Mar 14, 2023

The administrator wants to have visibility over the network with minimal disruption So obviously TAP interface gives visibility without interruption

lildevil
Jun 2, 2023

But the FW in question is the internet FW and the traffic is a company segment...its not the FW yet, so the TAP will not help here.

Frightened_AcrobatOption: A
Mar 28, 2023

I have to agree with the A team. Here's why. 1) Keyword 'visibility.' This is used to describe the function of the tap interface. 2) Inference is made to the backbone switch, which could easily be tapped. 3) Won't be doing security until 'after' getting visibility. 4) Zero service disruption. 5) Security can be done later on a vwire interface on same firewall.

Frightened_Acrobat
May 4, 2023

This one is confusing because the question mentions security rules will be set up later. However, even setting up vwire interfaces, the admin would have to reconfigure the Layer 3 interface to vwire or configure a route out another vwire interface from the firewall. This adds complexity to the set up and could cause major service disruption if configured incorrectly. The backbone switch could be a layer 3 switch and provide the routing neccessary, but you're talking configuring a new VLAN and introduce the same level of complexity and maximize the possiblity of service disruption. So I'm still sticking to A as my answer.

Pacheco
Feb 13, 2024

Even if you plan to apply sec policies to that traffic a year later, you won't be able to using tap interfaces.

lildevil
Jun 2, 2023

I think the issue with A is that the question implies it wants visibility on one segment of the "company network" that is on a "backbone switch" The firewall in place they reference is Internet gateway (with available resources). It would appear that the FW they reference does not all ready have the traffic so a TAP interface would not help here.

Pacheco
Feb 13, 2024

Even if you plan to apply sec policies to that traffic a year later, you won't be able to using tap interfaces.

sov4Option: C
Jul 30, 2023

Gotta be C. The traffic isnt on the firewall yet and so a tap wont help. Only a virtual-wire will allow for visibility, security policy, no IP changes, and low down-time.

piipoOption: C
Nov 6, 2023

apply Security rules

franko_72
Dec 15, 2023

In the exam, July 2023.

34f7d3aOption: A
Dec 17, 2023

the answer is A - A firewall administrator wants to have visibility on one segment of the company network. Guys why don’t you read with understanding?

Pacheco
Feb 13, 2024

You should really take your own advice. It clearly says "The administrator is planning to apply Security rules on segment X after getting the visibility". Traffic from tap interfaces is not subject to policy enforcement, you just get a copy of it and that's it.

juan_L
Sep 11, 2022

Careful ! A is correct, vwire must connect 2 interfaces, and requires a topology change. Only visibility is required for first step. Even more, PAN deployment BPA assumes TAP as first approach, just for gather information and plan future topology and security changes.

vbaalagi
May 14, 2023

its neither of Layer 2 or 3 , its bump in the wire , ans slould be vwire [c]

Pacheco
Feb 13, 2024

Yes, "vwire must connect 2 interfaces". No, it doesn't require topology changes because vwire interfaces don't use mac nor ip addressing; they're specifically designed so you don't have to change the topology. Besides, traffic from tap interfaces cannot be applied sec policies

TAKUM1yOption: C
Oct 31, 2022

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/virtual-wire-interfaces

DLRGOption: C
May 4, 2023

I think: C: Keep in mind, however, because the traffic is not running through the firewall when in tap mode it cannot take any action on the traffic, such as blocking traffic with threats or applying QoS traffic control.

ruben_castro81
Jul 9, 2023

The key word is "after". This question mention: "The administrator is planning to apply Security rules on segment X AFTER getting the visibility"... I think that TAP is the best option

ruben_castro81Option: A
Jul 9, 2023

The key word is "after". This question mention: "The administrator is planning to apply Security rules on segment X AFTER getting the visibility"... I think that TAP is the best option

ChiaPet75
Sep 2, 2023

I'm on the "C" team. At first I thought the Admin could just "TAP" the backbone switch for visibility, but since the goal is to apply Security rules on the segment that is being monitored, vWire makes the most sense.

electro165Option: A
Sep 3, 2023

TAP Interface: A TAP interface allows you to monitor network traffic without disrupting the existing traffic flow. It operates in a passive mode, where it copies traffic for analysis without impacting the original traffic. This means you can gain visibility into segment X without changing the routing or IP configurations. Minimum Service Interruptions: Since the TAP interface is passive and does not actively participate in routing or affecting traffic, it minimizes service interruptions. It won't introduce any routing changes or disruptions to segment X. No IP Changes: The administrator wants to avoid making IP changes, and configuring a TAP interface allows you to do just that. It won't require any IP address changes or reconfiguration of the existing network.

Pacheco
Feb 13, 2024

Nope. They also want to apply sec policies to it. "The administrator is planning to apply Security rules on segment X after getting the visibility"

Metgatz
Dec 20, 2023

C - The administrator is planning to apply Security rules on segment X after getting the visibility.

MarshpillowzOption: C
Feb 3, 2024

I think C

scanossaOption: C
Mar 4, 2024

It needs to apply security policies which TAP can not to so it's C.

0d2fdfaOption: A
Jun 15, 2024

security rules will be applied but this is only to monitor the traffic. The least intrusive way is TAP mode.

AlquicermOption: C
Sep 30, 2024

Because of security rules creation it needs to be VWIRE. TAP will gain visibility but you will not be able to create security rules.

CarlosDV06Option: C
Nov 28, 2024

Well, he definitely could use A to monitor the traffic, but you would have to reconfigure the fw to use the vwire to apply security changes. Still you can have the vwire and an initial allow rule for all of the X segment traffic and there you get to have your visibility without disrupting the network.

ALCOSTA35Option: C
Mar 17, 2025

A is wrong because Tap does not allow Sec Pol to be applied to the FW. Only option is C (VWire).