PCNSE Exam QuestionsBrowse all questions from this exam
Go to Exam

PCNSE Exam - Question 84

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

Show Answer
Correct Answer: C

To allow traffic to flow to the web server in a destination NAT setup, the security policy must consider the pre-NAT IP address and the post-NAT zone. In this case, the pre-NAT IP address is 1.1.1.100, which is the public address mapping to the server, and the post-NAT zone is DMZ. Therefore, the security policy rule that allows traffic from the Untrust zone to the DMZ, with the pre-NAT IP address of 1.1.1.100 for web browsing, is correct.

Discussion

10 comments
Sign in to comment
trashboatOption: C
Apr 29, 2021

C is the correct answer. Remember for Security Policy lookup, the firewall uses Pre-NAT IP and Post-NAT Zone. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview.html

confusionOption: C
Feb 26, 2022

C. because security policy is pre-NAT IP + post-NAT ZONE.

Kane002Option: C
Nov 17, 2021

C is correct. I got this question on the PCNSA, and so I wouldn't expect to see it on the PCNSE.

Angel123Option: B
May 28, 2021

I believe the correct answer is 'B' Since this is DNAT setup, rule for security policy is: PRE-NAT addresses, POST-NAT zone. PCNSA study guide PAN OS 10.0, p.111

Angel123
May 28, 2021

Pardon me - 'C' is the answer with POST-NAT zone.

TAKUM1yOption: C
Sep 22, 2022

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview

mbhuyanOption: B
May 23, 2023

Answer should B

shetoshandasaOption: D
Mar 17, 2021

Correct Answer https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping

mmed
Mar 22, 2021

the corrct answer is D

webmanau
Mar 22, 2021

No it's not. C is correct. the pre-NAT address is required as the destination in the security rule

Prutser2
Jun 30, 2021

no, C, It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones

woody_Option: D
Dec 14, 2022

Should that not be D based on https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-with-port-translation-example#id053beeb9-fde0-445b-99d0-5dd5a1000b7c ?

DenskyDen
Jan 15, 2023

that should be C as mentioned on the question, it was natted.

MarshpillowzOption: C
Jan 23, 2024

Answer is C

Yuval711Option: D
Jun 18, 2024

D is the correct answer. the question is about security policy and the destination is 10.1.1.100