Free PCNSE Questions Attempt

When managing firewalls with Panorama, configurations can be pushed from Panorama templates to managed firewalls. However, there are scenarios where specific settings need to be overridden on the local firewall level due to unique requirements or exceptions.

B. The modification will not be visible in Panorama:

• When an override is made directly on the firewall, this change is not automatically reflected back in Panorama's templates or device groups. The local configuration on the firewall will take precedence over the Panorama pushed configuration for the overridden settings, but these local changes will not be visible in the Panorama interface. This means that while Panorama maintains central control and visibility over the bulk of the configuration, it does not have visibility into local overrides made directly on the firewalls.

This distinction is crucial for auditors and administrators to understand, as it impacts how configurations are managed and synchronized between Panorama and the individual firewalls. Local overrides provide flexibility but require careful management to ensure consistency and compliance with security policies.

Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy