Palo Alto Networks Exam PSE-SoftwareFirewall Topic 1 Question 19 Discussion

Actual exam question for Palo Alto Networks's PSE-SoftwareFirewall exam

Question #: 19
Topic #: 1

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.

How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

AEdit the IP address of all of the affected VMs.

BCreate a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.

CSend the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.

DCreate a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).

Show Suggested Answer

Suggested Answer: B

Creating a New Virtual Switch:

By creating a new virtual switch, you can segment the network within the ESXi environment. The VM-Series firewall can then be used to provide security controls between these virtual switches using virtual wire mode.

Palo Alto Networks VM-Series Deployment Guide

Moving Guests to New Virtual Switch:

Guests requiring additional security are moved to the new virtual switch, allowing the VM-Series firewall to inspect and control traffic between the switches. This setup does not necessitate changes to the existing IP addresses or default gateways of the VMs.

Palo Alto Networks VM-Series Virtual Wire Mode

by Stevie at Jan 22, 2025, 08:56 AM

Limited Time Offer

25%

Off

Get Premium PSE-SoftwareFirewall Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Eliz

2 days ago

C) is an interesting idea, but I'm not sure I'd want to be messing with the default gateway. Seems like it could cause some unexpected issues down the line.

upvoted 0 times

...

Huey

9 days ago

Haha, option A) is just too easy. Why bother editing all those IPs when you can just use the firewall to do the job? Lazy admins, am I right?

upvoted 0 times

...

Kasandra

13 days ago

D) sounds interesting with the proxy ARP, but I'm not sure how that would work in practice. Might be a bit more complex than the virtual switch approach.

upvoted 0 times

...

Alica

14 days ago

B) seems like the most logical option. Separating the VMs into different virtual switches using the VM-Series firewall in virtual wire mode is a smart way to maintain the same IP addresses and default gateways.

upvoted 0 times

Tracey

10 days ago

User 1

upvoted 0 times

...

Junita

15 days ago

I agree with Deeann. Option B seems like the most efficient way to achieve the partition without changing IP addresses.

upvoted 0 times

...

Deeann

1 months ago

I think the best option is B) Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode.

upvoted 0 times

...