ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 598 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 598
Topic #: 1
[All PCNSE Questions]

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:


Site B configuration:

  • A. Match IKE version on both firewalls.
  • B. Configure Local Identification on Site B firewall.
  • C. Enable NAT Traversal on Site B firewall.
  • D. Disable passive mode on Site A firewall.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by poiuytr at April 4, 2024, 8:44 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kalopilo
4 weeks, 1 day ago
Selected Answer: AD
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0
upvoted 1 times
...
scanossa
5 months, 3 weeks ago
This question was on my exam on July 23rd, 2024
upvoted 3 times
...
hcir
9 months, 1 week ago
A. IKE version have to match D. Site A cannot be passive, else it wont initiate the IKE negociation. Site B cannot initiate it as it does not know the IP address of Site A.
upvoted 2 times
...
poiuytr
9 months, 2 weeks ago
Selected Answer: AD
A - obvious, you need to have possibility to negotiate the same IKEversion B - not necessary, couse "If you don’t specify a value, the gateway will use the local IP address as the Local Identification value." C - not connected with screenshots; D - "Peer IP Address Type - Dynamic—Select this option if the peer IP address or FQDN value is unknown. When the peer IP address type is Dynamic, it is up to the peer to initiate the IKE gateway negotiation."
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago