PCNSA Exam QuestionsBrowse all questions from this exam
Go to Exam

PCNSA Exam - Question 204

View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/Internet zones from each of the IOT/Guest and Trust Zones?

A.

B.

C.

D.

Show Answer
Correct Answer:

The most restrictive, yet fully functional, rule to allow general Internet and SSH traffic into both the DMZ and Untrust/Internet zones from each of the IOT/Guest and Trust Zones is option B. Option A restricts access to specific destination subnets, which may not be sufficient for general Internet access since the destination addresses are too strictly defined. Option C incorrectly assigns source and destination addresses which do not correspond to their respective zones. Option D contains an incorrect source address for the IOT/Guest zone. Option B is the correct answer because it appropriately includes rules to allow SSH, SSL, and web-browsing traffic, with the source zones being IOT/Guest and Trust, and the destination zones being DMZ and Untrust, without over-specifying the destination addresses.

Discussion

17 comments
Sign in to comment
DlaEdu_Ex
Feb 7, 2023

The answer is B. A is incorrect - no internet access, DST addresses are too strictly definedd; C is incorrect - SRC and DST addresses do not correspond to Zones; D is incorrect - the SRC address does not match the SRC zone.

Kalender
May 11, 2023

"most restrictive, yet fully functional rule" is key word answer should be A (i think)

Sly04
Nov 27, 2023

I think the same

Aredus
Mar 21, 2024

Answer should be A as the questions asks for the most restrictive but functional rule.

DIG_Tofu
Mar 23, 2024

A for me as well. According to internet is only on /24 subnet mask ._.

Najmmm
Nov 2, 2022

the answer should be B, we cant specify dst add for internet

PaloCert
Mar 12, 2023

B is the correct answer. You need to allow traffic to any destination for internet access.

DatITGuyTho1337
Apr 1, 2023

The answer is A because the question is asking for the most restrictive means to access the DMZ and untrust zones from the Guest and Trust zones. In answer A, the rule restricts access to the destination IP address subnet ranges of the DMZ and Untrust zone destination addresses, whereas answer B pretty much says you can connect to any address in the DMZ and Untrust subnets. A is the correct answer.

Notimig
Nov 18, 2023

B sure, source is 192 and 172

khaled_ellaboudy
Feb 20, 2023

It should be "B". Need to access the internet

dc6a988
Jul 1, 2024

Correct answer B

himing_123
Feb 8, 2023

B. need to access the internet

Wisley
Mar 5, 2023

It should be B.

madt
Apr 30, 2023

B is correct

Sanjug2022
Jun 25, 2023

Answer B

claudio392
Aug 28, 2023

B sure

claudio392
Aug 30, 2023

B sure

cjace
May 23, 2024

B is the answer for sure

Janhattal
Jun 23, 2024

Ans should A. As B is functional but not restrictive.