A user at an internal system queries the DNS server for their web server with a private IP of 10.250.241.131 in the DMZ. The DNS server returns an address of the web servers public address, 200.1.1.10. In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?
In this scenario, the user at the internal system in the Trust_L3 zone queries the DNS server and receives a public IP address (200.1.1.10). To direct this traffic to the correct internal web server with private IP (10.250.241.131), a NAT rule needs to translate this public IP to the private IP. Additionally, a security rule must allow traffic from the Trust_L3 zone to the DMZ zone, considering the actual web server's IP. Therefore, the appropriate configuration involves setting the NAT rule with Source Zone: Trust_L3, Destination Zone: Untrust_L3, and a translation address of the private IP, along with a security rule allowing traffic from Source Zone: Trust_L3 to Destination Zone: DMZ based on the private IP.
Answer is D, this is explained in an scenario here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
Thanks for this
Had this question on the exam a few weeks ago... July 2023.
Yep so did I, similar time, June/July.
Security rules use pre-NAT IP and post-NAT Zone
Yes D is correct, think it over again if your result is different.
D. Agree
D) Great PAN NAT video here, includes Uturn NAT https://www.youtube.com/watch?v=Ahrao6kBg8w&t=566s