ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSA All Questions

View all questions & answers for the PCNSA exam
Go to Exam

Exam PCNSA topic 1 question 104 discussion

Actual exam question from Palo Alto Networks's PCNSA
Question #: 104
Topic #: 1
[All PCNSA Questions]

Based on the shown security policy, which Security policy rule would match all FTP traffic from the inside zone to the outside zone?

  • A. interzone-default
  • B. internal-inside-dmz
  • C. inside-portal
  • D. egress-outside
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by [deleted] at March 9, 2023, 4:10 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
amorcle
1 year, 1 month ago
Selected Answer: D
D it's correct, because 203.0.113.0/24 it's a reserved/special use address (TEST-NET-3. RFC 5737) so it can't stay in an outside zone.
upvoted 3 times
...
amorcle
1 year, 1 month ago
D it's correct, because 203.0.113.0/24 it's a reserved/special use address (TEST-NET-3. RFC 5737) so it can't stay in an outside zone.
upvoted 1 times
...
Gilmarcio
1 year, 1 month ago
egress-outsid. source and destination zone possuem any + any aplication e application-default service, action allow. Então é "D"
upvoted 1 times
...
guuillauume
1 year, 1 month ago
Selected Answer: D
it's about ALL the traffic, so D is the correct answer
upvoted 3 times
...
Ermbmx2
1 year, 2 months ago
Selected Answer: D
The only option that matches "ALL" FTP traffic from Inside to Outside
upvoted 3 times
...
Ermbmx2
1 year, 2 months ago
Can someone explain why it is not D? If it say "any" FTP traffic wouldnt it have to be D since C would only match FTP traffic destined to that specific IP. Is that not correct?
upvoted 1 times
Ermbmx2
1 year, 2 months ago
Correction, it says "ALL" FTP traffic. Wouldn't D be the first policy that allows "ALL" FTP traffic?
upvoted 1 times
...
...
BuzeHa
1 year, 3 months ago
Selected Answer: C
correct
upvoted 2 times
...
[Removed]
1 year, 4 months ago
Selected Answer: C
I mean, technically inside-portal would match any FTP traffic first to the outside zone, even if the destination address is defined.
upvoted 2 times
amorcle
1 year, 1 month ago
D it's correct, because 203.0.113.0/24 it's a reserved/special use address (TEST-NET-3. RFC 5737) so it can't stay in an outside zone.
upvoted 2 times
...
nolox
1 year, 4 months ago
Yup, the question doesn't ask about dst IP so I think C is correct.
upvoted 1 times
mariooiram87
8 months, 1 week ago
RTFM...
upvoted 1 times
...
Ermbmx2
1 year, 2 months ago
But it does say "Match ALL ftp traffic" (not "any") which the Inside-portal would not match all the ftp traffic, just the FTP traffic destined to that specific IP.
upvoted 5 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel