exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam

Exam PCNSE topic 1 question 32 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 32
Topic #: 1
[All PCNSE Questions]

Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host
A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.
Which two Security policy rules will accomplish this configuration? (Choose two.)

  • A. Untrust (Any) to Untrust (10.1.1.1), web-browsing ג€" Allow
  • B. Untrust (Any) to Untrust (10.1.1.1), ssh ג€" Allow
  • C. Untrust (Any) to DMZ (1.1.1.100), web-browsing ג€" Allow
  • D. Untrust (Any) to DMZ (1.1.1.100), ssh ג€" Allow
  • E. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing ג€" Allow
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
achille5
Highly Voted 3 years, 10 months ago
C, D and D should be Untrust (Any) to DMZ (1.1.1.101), ssh - Allow
upvoted 6 times
anak1n
3 years, 10 months ago
yeah the answer .101 last octet is wrong but is straight forward ;)
upvoted 1 times
...
achille5
3 years, 9 months ago
Correction: It's CD. NAT policy is given already. Ignore Above :D
upvoted 2 times
...
utahman3431
3 years, 10 months ago
I think it is correct as written. 1.1.1.100 is the pre-NAT IP, and all web/ssh traffic should go to it. Once it hits the NAT policy then the IP will be translated to 10.1.1.100/10.1.1.101
upvoted 6 times
...
...
confusion
Highly Voted 2 years, 11 months ago
Selected Answer: CD
Security policies use pre-NAT addresses and post-NAT zones. so C+D
upvoted 5 times
...
j4v13rh4ack
Most Recent 1 month, 4 weeks ago
Selected Answer: CD
According with the image when the packets arriving from internet knock the 1.1.1.100 ip address, depending on the port (80 or 22) will translate the destination to 10.1.1.100 for http queries or to 10.1.1.101 for ssh queries. the pre-nat address should be referenced in the security policy destination address column along with the post nat zone.
upvoted 1 times
...
Marshpillowz
12 months ago
Selected Answer: CD
Answer is C and D
upvoted 1 times
...
JRKhan
1 year ago
Selected Answer: CD
C and D are correct. Security policies use post-nat zones and pre-nat ip addresses.
upvoted 1 times
...
_3_
1 year, 2 months ago
Selected Answer: E
Wouldn't E be the only possible answer? Someone correct me if I am wrong but security policies are applied post-NAT, so C and D referencing the pre-NAT IP would be incorrect. E is the only answer with correct post-NAT zone and IPs.
upvoted 3 times
...
nsg79
1 year, 4 months ago
Selected Answer: AB
correct answer is AB answer is right here from palo alto: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping#idfe075fbd-c132-4c52-b4c4-5adc7f4fc0bc
upvoted 2 times
Kris92
1 year, 2 months ago
The link explains this exact scenario and if you look at the security policy from the documentation it matches C, D. You might have looked at the NAT policy which needs to be configured with source and destination zone Untrust, but the question is about the security policy.
upvoted 2 times
...
...
Redrum702
1 year, 7 months ago
Ok, I understood this was to write a DNAT policy. Correct answers are C/D. But for a DNAT it would be A/B :)
upvoted 1 times
...
Redrum702
1 year, 7 months ago
A/B: For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3. DNAT allows you to rewrite the destination IP address and port of incoming traffic and redirecting it to a different destination IP address and port. DNAT is commonly used for scenarios such as exposing internal servers to the internet or redirecting traffic to specific services. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
upvoted 1 times
...
daytonadave2011
1 year, 10 months ago
This is a very poorly written question with answers. It should say D. 10.1.1.101 instead of 10.1.1.100.
upvoted 2 times
...
lol12
2 years, 2 months ago
Selected Answer: CD
Answer CD
upvoted 1 times
...
fireb
2 years, 3 months ago
Correct answers: C & D.
upvoted 1 times
...
secdaddy
2 years, 3 months ago
Selected Answer: CD
Agree C and D assuming a typo in D (otherwise maybe CE) The box at the top is misleading since the NAT rules must use the pre-nat IP 1.1.1.100 as dest actual DNAT rules must refer to pre-translated dest address 1.1.1.100 with szone and dzone both = untrust-l3 security rules also use pre-translated dest address 1.1.1.100 and szone untrust-l3 but dzone = DMZ
upvoted 1 times
...
juan_L
2 years, 5 months ago
Shame- I hope to be a typo and actually D - refers to 1.1.1.101, E - means that it opens ssh for the rest of the company, OK maybe cant access from internet but now it have created a ssh open for all the zones of the company where NAT is not quered, this is a very, very, very bad example. Try not to learn from that questions. Sadly if there is no typo, correct is CE
upvoted 1 times
Pretorian
2 years, 4 months ago
Why the entire company? there are only 2 IP's as destination.
upvoted 1 times
Pretorian
2 years, 4 months ago
Plus destination is DMZ only.
upvoted 1 times
...
...
...
UFanat
2 years, 7 months ago
Selected Answer: CD
For firewall rules you should use DMZ zone but external IP. For NAT rules - External (untrust) zone and external IP.
upvoted 2 times
...
Kane002
3 years, 2 months ago
I actually got this exact question on my PCNSA.
upvoted 1 times
...
Prutser2
3 years, 6 months ago
security policies use pre-NAT addresses, but post NAT zones. so D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago