Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Go to Exam

Question 84

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

Untrust (any) to Untrust (10.1.1.100), web browsing ג€" Allow

Untrust (any) to Untrust (1.1.1.100), web browsing ג€" Allow

Untrust (any) to DMZ (1.1.1.100), web browsing ג€" Allow

Untrust (any) to DMZ (10.1.1.100), web browsing ג€" Allow

Correct Answer: C

To allow traffic to flow to the web server in a destination NAT setup, the security policy must consider the pre-NAT IP address and the post-NAT zone. In this case, the pre-NAT IP address is 1.1.1.100, which is the public address mapping to the server, and the post-NAT zone is DMZ. Therefore, the security policy rule that allows traffic from the Untrust zone to the DMZ, with the pre-NAT IP address of 1.1.1.100 for web browsing, is correct.

Discussion

trashboatOption: C

C is the correct answer. Remember for Security Policy lookup, the firewall uses Pre-NAT IP and Post-NAT Zone. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview.html

confusionOption: C

C. because security policy is pre-NAT IP + post-NAT ZONE.

Kane002Option: C

C is correct. I got this question on the PCNSA, and so I wouldn't expect to see it on the PCNSE.

mbhuyanOption: B

Answer should B

TAKUM1yOption: C

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview

Angel123Option: B

I believe the correct answer is 'B' Since this is DNAT setup, rule for security policy is: PRE-NAT addresses, POST-NAT zone. PCNSA study guide PAN OS 10.0, p.111

Angel123

Pardon me - 'C' is the answer with POST-NAT zone.

Yuval711Option: D

D is the correct answer. the question is about security policy and the destination is 10.1.1.100

MarshpillowzOption: C

Answer is C

woody_Option: D

Should that not be D based on https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-with-port-translation-example#id053beeb9-fde0-445b-99d0-5dd5a1000b7c ?

DenskyDen

that should be C as mentioned on the question, it was natted.

shetoshandasaOption: D

Correct Answer https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping

mmed

the corrct answer is D

webmanau

No it's not. C is correct. the pre-NAT address is required as the destination in the security rule

Prutser2

no, C, It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones