A security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?
Trap 1: Deploy multiple VM-Series firewalls as separate instances on the…
This is an alternative but requires multiple licenses and management overhead; VSYS is more efficient on a single PA-5200 series.
Trap 2: Use active/active HA mode to assign each tenant to a different…
HA provides redundancy, not multi-tenancy isolation; both firewalls share the same configuration.
Trap 3: Configure multiple virtual routers (VRFs) within the same virtual…
VRFs only separate routing tables; policies and objects would still be shared across VRFs within the same VSYS.
- A
Create separate virtual systems (VSYS) for each tenant on the same firewall.
VSYS provides complete logical separation of configuration, routing, and policies per tenant.
- B
Deploy multiple VM-Series firewalls as separate instances on the same hypervisor.
Why wrong: This is an alternative but requires multiple licenses and management overhead; VSYS is more efficient on a single PA-5200 series.
- C
Use active/active HA mode to assign each tenant to a different firewall.
Why wrong: HA provides redundancy, not multi-tenancy isolation; both firewalls share the same configuration.
- D
Configure multiple virtual routers (VRFs) within the same virtual system.
Why wrong: VRFs only separate routing tables; policies and objects would still be shared across VRFs within the same VSYS.