Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host
A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)
In order to properly direct the traffic based on the application (HTTP or SSH) and the pre-defined NAT rules, the security policy must reference the pre-NAT IP address but apply rules to the post-NAT zone. For HTTP traffic directed to Host A (10.1.1.100) and SSH traffic directed to Host B (10.1.1.101), the rules need to allow traffic originating from any source in the Untrust zone to the specific pre-NAT IP (1.1.1.100) in the DMZ zone, corresponding to the respective protocols. Therefore, the correct rules are to allow web-browsing traffic to the DMZ (1.1.1.100) and SSH traffic to the DMZ (1.1.1.100).
C, D and D should be Untrust (Any) to DMZ (1.1.1.101), ssh - Allow
yeah the answer .101 last octet is wrong but is straight forward ;)
I think it is correct as written. 1.1.1.100 is the pre-NAT IP, and all web/ssh traffic should go to it. Once it hits the NAT policy then the IP will be translated to 10.1.1.100/10.1.1.101
Correction: It's CD. NAT policy is given already. Ignore Above :D
Security policies use pre-NAT addresses and post-NAT zones. so C+D
Wouldn't E be the only possible answer? Someone correct me if I am wrong but security policies are applied post-NAT, so C and D referencing the pre-NAT IP would be incorrect. E is the only answer with correct post-NAT zone and IPs.
correct answer is AB answer is right here from palo alto: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping#idfe075fbd-c132-4c52-b4c4-5adc7f4fc0bc
The link explains this exact scenario and if you look at the security policy from the documentation it matches C, D. You might have looked at the NAT policy which needs to be configured with source and destination zone Untrust, but the question is about the security policy.
This is a very poorly written question with answers. It should say D. 10.1.1.101 instead of 10.1.1.100.
For firewall rules you should use DMZ zone but external IP. For NAT rules - External (untrust) zone and external IP.
Answer is C and D
C and D are correct. Security policies use post-nat zones and pre-nat ip addresses.
Ok, I understood this was to write a DNAT policy. Correct answers are C/D. But for a DNAT it would be A/B :)
A/B: For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3. DNAT allows you to rewrite the destination IP address and port of incoming traffic and redirecting it to a different destination IP address and port. DNAT is commonly used for scenarios such as exposing internal servers to the internet or redirecting traffic to specific services. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
Answer CD
Correct answers: C & D.
Agree C and D assuming a typo in D (otherwise maybe CE) The box at the top is misleading since the NAT rules must use the pre-nat IP 1.1.1.100 as dest actual DNAT rules must refer to pre-translated dest address 1.1.1.100 with szone and dzone both = untrust-l3 security rules also use pre-translated dest address 1.1.1.100 and szone untrust-l3 but dzone = DMZ
Shame- I hope to be a typo and actually D - refers to 1.1.1.101, E - means that it opens ssh for the rest of the company, OK maybe cant access from internet but now it have created a ssh open for all the zones of the company where NAT is not quered, this is a very, very, very bad example. Try not to learn from that questions. Sadly if there is no typo, correct is CE
Why the entire company? there are only 2 IP's as destination.
Plus destination is DMZ only.
I actually got this exact question on my PCNSA.
security policies use pre-NAT addresses, but post NAT zones. so D