Valid NGFW-Engineer Dumps shared by ExamDiscuss.com for Helping Passing NGFW-Engineer Exam! ExamDiscuss.com now offer the newest NGFW-Engineer exam dumps, the ExamDiscuss.com NGFW-Engineer exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com NGFW-Engineer dumps with Test Engine here:
Which two statements apply to configuring required security rules when setting up an IPSec tunnel between a Palo Alto Networks firewall and a third- party gateway? (Choose two.)
Correct Answer: C,D
Separate rules must be created for each direction: Palo Alto Networks firewalls enforce security policies based on traffic direction. To allow bidirectional communication through the IPSec tunnel, two separate rules are required - one for incoming and one for outgoing traffic. IKE negotiation and IPSec/ESP packets are denied by default: Palo Alto Networks firewalls use an interzone default deny policy, meaning that unless an explicit policy allows IKE (UDP 500/4500) and ESP (protocol 50) traffic, the firewall will block these packets, preventing tunnel establishment. Therefore, administrators must create explicit rules permitting IKE and IPSec/ESP traffic to the firewall's external interface.
