An administrator needs to create a Security policy rule that matches DNS traffic within the LAN zone, and also needs to match DNS traffic within the DMZ zone.
The administrator does not want to allow traffic between the DMZ and LAN zones.
Which Security policy rule type should they use?
The administrator needs to allow DNS traffic within both the LAN and DMZ zones while preventing traffic between these zones. The correct type of security policy rule for this requirement is 'intrazone,' which permits traffic within the same zone but does not allow specifying a destination zone, ensuring that traffic within each specified zone (LAN and DMZ) is permitted without allowing traffic between these zones.
Intrazone: A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules). For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
The minute you took away any traffic, it was no longer UNIVERSAL. "Does not want to match traffic where the source and destination zones are LAN or DMZ" It was no longer INTRAZONE. That only left INTERZONE.
Most of the question is fluff. Main key takeaways are: 1) Allow DNS traffic within LAN-ZONE 2) Allow DNS traffic within DMZ-ZONE 3) Deny DNS traffic between LAN-ZONE, DMZ-ZONE What Security Rule type is required? - Universal allows traffic between the zones and within the zones. - Interzone does NOT allow traffic within a zone, and permits traffic between the two zones - Default isn't a valid option as you have to point out WHICH default policy, is it the intra or the inter? - Universal allows traffic between the zones and within the zones. Intrazone allows traffic within the zones, you can NOT configure a destination zone. So the correct answer is B
Why not C. Pls read carefully
default what? interzone-default or intrazone-default... Most of the question is fluff. Main key takeaways are: Allow DNS traffic within LAN-ZONE Allow DNS traffic within DMZ-ZONE Deny DNS traffic between LAN-ZONE, DMZ-ZONE What Security Rule type is required? Interzone does NOT allow traffic within a zone, and permits traffic between the two zones Default isn't a valid option as you have to point out WHICH default policy, is it the intra or the inter? Universal allows traffic between the zones and within the zones. Intrazone allows traffic within the zones, you can NOT configure a destination zone. So the correct answer is B
I've the evaluation tomorrow and read this example question. The answer is B, the question asks for the rule TYPE and we have three: Intrazone (within a zone), interzone (between zones) and universal (within and between zones).
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTHCA0
A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules). For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.
Its b since its not going between zones.
It says that DNS traffic is allowed in LAN and DMZ zone. That traffic could come from outside zone, such as internet but it is not allowed between LAN and DMZ. According to this, I'd say is A because you only need to match Interzone areas.
Default