NGFW-ENGINEER Question #16: Real Exam Question with Answer & Explanation

Question

An organization runs multiple Kubernetes clusters both on-premises and in public clouds (AWS, Azure, GCP). They want to deploy the Palo Alto Networks CN-Series NGFW to secure east-west traffic within each cluster, maintain consistent Security policies across all environments, and dynamically scale as containerized workloads spin up or down. They also plan to use a centralized Panorama instance for policy management and visibility. Which approach meets these requirements?

Options

• AInstall standalone CN-Series instances in each cluster with local configuration only. Export daily
• BConfigure the CN-Series only in public cloud clusters, and rely on Kubernetes Network Policies
• CUse Kubernetes-native deployment tools (e.g., Helm) to deploy CN-Series in each cluster,
• DDeploy a single CN-Series firewall in the on-premises data center to process traffic for all clusters,

Explanation

This approach meets all the requirements for securing east-west traffic within each Kubernetes cluster, maintaining consistent security policies across on-premises and cloud environments, and allowing for dynamic scaling of the CN-Series NGFWs as containerized workloads spin up or down. By using Kubernetes-native deployment tools (such as Helm), the CN-Series NGFWs can be deployed and scaled dynamically within each cluster. Local insertion into the service mesh or CNI ensures that the NGFW can inspect traffic at the appropriate points within the cluster. Centralized management via Panorama ensures that security policies are uniform across both on-premises and cloud environments, providing visibility and control across all clusters.

No community discussion yet for this question.