Exam PCNSA All QuestionsBrowse all questions from this exam
Go to Exam
Question 204

View the diagram. What is the most restrictive, yet fully functional rule, to allow general Internet and SSH traffic into both the DMZ and Untrust/Internet zones from each of the IOT/Guest and Trust Zones?

A.

B.

C.

D.

    Correct Answer:

    The most restrictive, yet fully functional, rule to allow general Internet and SSH traffic into both the DMZ and Untrust/Internet zones from each of the IOT/Guest and Trust Zones is option B. Option A restricts access to specific destination subnets, which may not be sufficient for general Internet access since the destination addresses are too strictly defined. Option C incorrectly assigns source and destination addresses which do not correspond to their respective zones. Option D contains an incorrect source address for the IOT/Guest zone. Option B is the correct answer because it appropriately includes rules to allow SSH, SSL, and web-browsing traffic, with the source zones being IOT/Guest and Trust, and the destination zones being DMZ and Untrust, without over-specifying the destination addresses.

Discussion
Aredus

Answer should be A as the questions asks for the most restrictive but functional rule.

DIG_Tofu

A for me as well. According to internet is only on /24 subnet mask ._.

Kalender

"most restrictive, yet fully functional rule" is key word answer should be A (i think)

Sly04

I think the same

DlaEdu_Ex

The answer is B. A is incorrect - no internet access, DST addresses are too strictly definedd; C is incorrect - SRC and DST addresses do not correspond to Zones; D is incorrect - the SRC address does not match the SRC zone.

Notimig

B sure, source is 192 and 172

DatITGuyTho1337

The answer is A because the question is asking for the most restrictive means to access the DMZ and untrust zones from the Guest and Trust zones. In answer A, the rule restricts access to the destination IP address subnet ranges of the DMZ and Untrust zone destination addresses, whereas answer B pretty much says you can connect to any address in the DMZ and Untrust subnets. A is the correct answer.

PaloCert

B is the correct answer. You need to allow traffic to any destination for internet access.

Najmmm

the answer should be B, we cant specify dst add for internet

dc6a988

Correct answer B

khaled_ellaboudy

It should be "B". Need to access the internet

Janhattal

Ans should A. As B is functional but not restrictive.

cjace

B is the answer for sure

claudio392

B sure

claudio392

B sure

Sanjug2022

Answer B

madt

B is correct

Wisley

It should be B.

himing_123

B. need to access the internet