ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 606 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 606
Topic #: 1
[All PCNSE Questions]

A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

  • A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.
    2. Check the box for negate option to negate this IP from the NAT translation.
  • B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.
    2. Check the box for negate option to negate this IP subnet from NAT translation.
  • C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
    2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
    3. Place (NAT-Rule-2) above (NAT-Rule-1).
  • D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.
    2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.
    3. Place (NAT-Rule-1) above (NAT-Rule-2).
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Thunnu at March 28, 2024, 9:40 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
krzyb
6 months, 2 weeks ago
None of the answers is correct. A & B talks about the "negate" option which is not available for NAT rules. C & D refers to invalid subnet 10.0.0/23 (only 3 octets). With a source like this, you cannot even save the rule. "We will not check your knowledge, we will make you confused" type of question.
upvoted 1 times
DatITGuyTho1337
5 months, 3 weeks ago
Might have been a typo, to be fair.
upvoted 1 times
...
...
redgi0
7 months, 3 weeks ago
Selected Answer: C
above indeed
upvoted 1 times
...
thelittleyellowbirdie
8 months, 1 week ago
this was in my exam 09/08/2024
upvoted 1 times
...
scanossa
9 months ago
This question was on my exam on July 23rd, 2024
upvoted 1 times
...
[Removed]
9 months, 3 weeks ago
So block the traffic to internet with security policy...
upvoted 2 times
...
Cro13
10 months, 3 weeks ago
Selected Answer: C
C is correct because NAT-Rule-2 need to be above NAT-Rule-1
upvoted 1 times
...
DatITGuyTho1337
1 year ago
Agreed with everyone who answered C!
upvoted 1 times
...
jaypogi16
1 year ago
Selected Answer: C
NAT Rule 2 will never get use if it will place under NAT rule 1
upvoted 2 times
...
b53fdf1
1 year ago
Selected Answer: C
NAT-Rule-2 needs to be above NAT-Rule-1 or else Rule 1 will shadow Rule 2 and Rule 2 will never get used.
upvoted 3 times
...
Thunnu
1 year ago
C should be the right answer
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago