PCNSE Question #456: Real Exam Question with Answer & Explanation

Question

To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Options

• AAdd the policy in the shared device group as a pre-rule
• BReference the targeted device's templates in the target device group
• CAdd the policy to the target device group and apply a master device to the device group
• DClone the security policy and add it to the other device groups

Explanation

To ensure a Security policy has the absolute highest priority in a Panorama device group hierarchy, it must be configured as a pre-rule within the Shared device group.

Common mistakes.

• B. Referencing templates is a mechanism for deploying configuration to firewalls, not for defining the priority order of security policies.
• C. Adding a policy to a target device group or applying a master device doesn't automatically assign the highest priority; the priority depends on whether it's a pre-rule or post-rule and its specific position.
• D. Cloning security policies to multiple device groups is inefficient and does not guarantee the highest priority; policy priority is determined by its position and type (pre-rule/post-rule) within the device group hierarchy.

Concept tested. Panorama policy evaluation order and device group hierarchy

Reference. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/panorama/manage-firewalls-with-device-groups/how-device-groups-affect-policy-and-object-inheritance.html

No community discussion yet for this question.