Exam PCNSE All QuestionsBrowse all questions from this exam
Go to Exam
Question 107

Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a Destination NAT policy in the Palo Alto Networks firewall.

A.

B.

C.

D.

    Correct Answer:

    To allow a successful connection from a user in the Internet zone to a web server hosted in the DMZ zone, the security policy rule must account for the source and destination zones post-NAT. Because we're dealing with traffic from the Internet to the DMZ, the appropriate zone pair should be a Source Zone of Internet and a Destination Zone of DMZ. The rule type 'interzone' or 'universal' is appropriate here because it deals with traffic between different zones. Based on this, the correct answer is B: Zone Pair with Source Zone as Internet and Destination Zone as DMZ, and Rule Type as 'interzone' or 'universal'.

Discussion
kraut

B everything EXCEPT destination zone is pre-nat pre-nat dest ip, post-nat dest zone

mtberdaan

Yes answer will be B, but the zone is correct DMZ is the post-nat destination zone; the NAT rule will look like this: source zone: Internet destination zone: Internet destination IP: public IP destination translation: internal IP the SEC rule will look like this: source zone: Internet destination zone: DMZ (post-NAT) destination IP: Public IP (pre-NAT) Which will make the traffic interzone. Tip: interzone vs intrazone -- I think of internet (global) vs intranet (local)

keto3812

Question is ambiguous. is it looking for NAT rule or Security Policy Rule?

kraut

It states that there is a NAT rule in place, so we're looking for the security policy.

vj77

it could also be interpreted as there is a NAT policy in place, what should it be?

lildevil

The question asks "allow a successful connection" NAT policies do not allow traffic, Sec policies do.

DenskyDen

B. Pre Nat IP and Post NAT zone.

TAKUM1y

B →https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

Marshpillowz

B is correct

GivemeMoney

the only difference between B and D is - B has a rule type of: interzone or universal, and D only has a rule type of interzone. What's the difference?

GivemeMoney

found it: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.