U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Palo Alto Networks PSE-SoftwareFirewall Exam - Topic 3 Question 32 Discussion

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?
B) Create a new virtual switch and use the VM-Series firewall to separate virtual switches using virtual wire mode. Then move the guests that require more security into the new virtual switch.
A) Edit the IP address of all of the affected VMs.
C) Send the VLAN out of the virtual environment into a hardware Palo Alto Networks firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it.
D) Create a Layer 3 interface in the same subnet as the VMs and then configure proxy Address Resolution Protocol (ARP).

Palo Alto Networks PSE-SoftwareFirewall Exam - Topic 3 Question 32 Discussion

Actual exam question for Palo Alto Networks's PSE-SoftwareFirewall exam
Question #: 32
Topic #: 3
[All PSE-SoftwareFirewall Questions]

A customer in a VMware ESXi environment wants to add a VM-Series firewall and partition an existing group of virtual machines (VMs) in the same subnet into two groups. One group requires no additional security, but the second group requires substantially more security.

How can this partition be accomplished without editing the IP addresses or the default gateways of any of the guest VMs?

Show Suggested Answer Hide Answer
Suggested Answer: B

Creating a New Virtual Switch:

By creating a new virtual switch, you can segment the network within the ESXi environment. The VM-Series firewall can then be used to provide security controls between these virtual switches using virtual wire mode.


Palo Alto Networks VM-Series Deployment Guide

Moving Guests to New Virtual Switch:

Guests requiring additional security are moved to the new virtual switch, allowing the VM-Series firewall to inspect and control traffic between the switches. This setup does not necessitate changes to the existing IP addresses or default gateways of the VMs.

Palo Alto Networks VM-Series Virtual Wire Mode

Contribute your Thoughts:

0/2000 characters
Arlyne
2 months ago
B is straightforward. Simplifies management and enhances security.
upvoted 0 times
...
Val
2 months ago
D is interesting, but ARP can be tricky. Not sure it’s worth it.
upvoted 0 times
...
Marjory
3 months ago
Option A is a no-go. Editing IPs is too risky.
upvoted 0 times
...
Rusty
3 months ago
Agreed! New virtual switch is smart. More security without hassle.
upvoted 0 times
...
Sabra
3 months ago
Definitely B! Keeps everything tidy without IP changes.
upvoted 0 times
...
Salley
3 months ago
Just to clarify, you can't change IPs or gateways, right?
upvoted 0 times
...
Odelia
3 months ago
Surprised that option D is even a choice. ARP for this? Really?
upvoted 0 times
...
Kris
4 months ago
I disagree, option C seems more secure by using a hardware firewall.
upvoted 0 times
...
Louann
4 months ago
Option B is the way to go! Virtual wire mode is perfect for this.
upvoted 0 times
...
Penney
4 months ago
Proxy ARP? What is this, the 90s? Option B is the clear winner here. Gotta love those virtual switches.
upvoted 0 times
...
Tula
4 months ago
Option B is the way to go, no doubt. Keeping everything contained in the virtual environment is the most elegant solution.
upvoted 0 times
...
Mari
5 months ago
C seems like it could work, but I'm not sure I'd want to send the VLAN out to a hardware firewall if I could handle it all within the virtual environment.
upvoted 0 times
...
Nickole
5 months ago
Haha, editing the IP addresses of all the VMs? That's a hard pass. Option B is definitely the way to go here.
upvoted 0 times
...
Tamar
5 months ago
D is an interesting option, but I'm not sure how the proxy ARP would work in this scenario. Might be a bit more complex than the virtual switch approach.
upvoted 0 times
...
Edwin
5 months ago
Option B seems like the way to go. Separating the VMs into different virtual switches and using the VM-Series firewall to secure the more sensitive group sounds like a clean solution.
upvoted 0 times
...
Theodora
5 months ago
I recall that VLANs can help with segmentation, but I'm not sure if sending traffic to a hardware firewall is the best approach here.
upvoted 0 times
...
Tu
6 months ago
I'm a bit confused about the Layer 3 interface option. I feel like we covered that, but it seems like it could complicate things unnecessarily.
upvoted 0 times
...
Melissa
6 months ago
I think option B sounds familiar. We practiced something similar where we had to separate traffic using virtual wire mode.
upvoted 0 times
...
Valentin
6 months ago
I'm pretty confident I know how to solve this. Option D is the way to go - create a Layer 3 interface in the same subnet and use proxy ARP. That way you can partition the VMs without changing anything on their end. Seems like the most straightforward approach to me.
upvoted 0 times
...
Gaynell
6 months ago
I think option B is the best choice. It keeps the IPs intact.
upvoted 0 times
...
Rosann
6 months ago
Hmm, I'm not sure about that. Option C seems interesting - sending the VLAN out to a hardware firewall and using the same IP as the old gateway. That might be a good way to add the extra security without disrupting the VMs. I'll have to look into that one more.
upvoted 0 times
...
Herschel
6 months ago
I remember we discussed using virtual switches in class, but I'm not entirely sure how the VM-Series firewall fits into that.
upvoted 0 times
...
Alverta
7 months ago
Option C seems complicated. Why involve hardware?
upvoted 0 times
...
Bettyann
7 months ago
Okay, I think I've got this. Option B looks like the way to go - create a new virtual switch and use the VM-Series firewall to separate the VMs that need more security. That way we don't have to mess with the IP addresses or gateways. Seems like the cleanest solution.
upvoted 0 times
...
Margart
7 months ago
I'm a bit confused by this question. It seems like we need to partition the VMs without changing their IP addresses or default gateways, but I'm not sure how to do that. I'll have to think through the options carefully.
upvoted 0 times
Sabra
2 months ago
I’m confused too. This is tricky, but I agree with B for separation.
upvoted 0 times
...
Rima
2 months ago
But what about option C? Sending VLAN to a hardware firewall could work too.
upvoted 0 times
...
Veronika
2 months ago
Yeah, using the VM-Series firewall makes sense for security.
upvoted 0 times
...
Danica
2 months ago
I think option B is the way to go. New virtual switch sounds good.
upvoted 0 times
...
Viola
7 months ago
I’m leaning towards option D. ARP could help without changing IPs.
upvoted 0 times
...
...

Save Cancel