PCNSE: Palo Alto Networks Certified Network Security Engineer

Proxy-ID is a parameter that identifies the traffic that needs to be encrypted and tunneled in an IPSec VPN. Proxy-ID consists of the local and remote IP addresses, protocols, and ports. Proxy-ID is used when the peer is using a policy-based VPN configuration, which allows specifying the Proxy-ID settings manually. If the Proxy-ID settings do not match on both peers, the phase two of the VPN will not establish a connection. Therefore, the correct answer is B.

The other options are not parts of the configuration that the engineer should verify for phase two of a VPN:

PAN-OS versions: This option is not relevant for phase two of a VPN. PAN-OS versions are the software versions that run on Palo Alto Networks firewalls. They do not affect the VPN connection establishment, as long as they support the same VPN features and protocols2.

IKE Crypto Profile: This option is not relevant for phase two of a VPN. IKE Crypto Profile is a parameter that defines the encryption and authentication algorithms for IKE negotiation. IKE negotiation is part of phase one of the VPN, not phase two3.

Security policy: This option is not relevant for phase two of a VPN. Security policy is a rule that allows or denies traffic based on various criteria, such as source, destination, application, user, and service. Security policy does not affect the VPN connection establishment, but only the traffic that passes through the VPN tunnel4.

Reference: 1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpn/site-to-sitevpn/set-up-a-site-to-site-vpn-between-two-firewalls/policy-based-vpn 2:

https://docs.paloaltonetworks.com/pan-os.html 3:

https://docs.paloaltonetworks.com/pan-os/91/pan-os-admin/vpn/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/methods-ofsecuring-ipsec-vpn-tunnels-ike-phase-2 4:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-osadmin/policy/security-policy.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage- firewall-administrators/administrative-authentication

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure- an-ssh-service-profile

The Method section of the GlobalProtect portal configuration allows you to specify how users connect to the portal. The options are: user-logon (always on): The agent connects to the portal as soon as the user logs in to the endpoint. pre-logon then on-demand: The agent connects to the portal before the user logs in to the endpoint and then switches to on-demand mode after the user logs in. on-demand (manual user initiated connection): The agent connects to the portal only when the user initiates the connection manually. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan- os-admin/globalprotect/configure-the-globalprotect-portal/configure-the-agent/configure-the-app- tab.html