A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.
Which set of steps should the engineer take to accomplish this objective?
To prevent a specific IP within a larger subnet from being allowed to access the internet, a more specific rule must be placed above the general rule to ensure it is evaluated first. In this case, the engineer should create two NAT rules: one to allow the entire subnet (10.0.0.0/23) to access the internet, and another to ensure that traffic from the specific IP (10.0.0.10/32) does not undergo NAT translation. The rule for the specific IP should have no source translation and must be placed above the general subnet rule to take precedence. This configuration allows the general rule to apply to all other IPs within the subnet while excluding the specified IP from accessing the internet.
C should be the right answer
NAT-Rule-2 needs to be above NAT-Rule-1 or else Rule 1 will shadow Rule 2 and Rule 2 will never get used.
NAT Rule 2 will never get use if it will place under NAT rule 1
Agreed with everyone who answered C!
C is correct because NAT-Rule-2 need to be above NAT-Rule-1
So block the traffic to internet with security policy...
I highly recommend ValidItExams for anyone preparing for Palo-Alto-Networks PCNSE. The questions were very similar to the real test. https://www.validitexams.com/palo-alto-networks/pcnse-dumps.html