Exam PCNSE topic 1 question 32 discussion

C, D and D should be Untrust (Any) to DMZ (1.1.1.101), ssh - Allow

Security policies use pre-NAT addresses and post-NAT zones. so C+D

C and D is correct as per NAT

According with the image when the packets arriving from internet knock the 1.1.1.100 ip address, depending on the port (80 or 22) will translate the destination to 10.1.1.100 for http queries or to 10.1.1.101 for ssh queries. the pre-nat address should be referenced in the security policy destination address column along with the post nat zone.

Answer is C and D

C and D are correct. Security policies use post-nat zones and pre-nat ip addresses.

Wouldn't E be the only possible answer? Someone correct me if I am wrong but security policies are applied post-NAT, so C and D referencing the pre-NAT IP would be incorrect. E is the only answer with correct post-NAT zone and IPs.

correct answer is AB answer is right here from palo alto: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping#idfe075fbd-c132-4c52-b4c4-5adc7f4fc0bc

Ok, I understood this was to write a DNAT policy. Correct answers are C/D. But for a DNAT it would be A/B :)

A/B: For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3. DNAT allows you to rewrite the destination IP address and port of incoming traffic and redirecting it to a different destination IP address and port. DNAT is commonly used for scenarios such as exposing internal servers to the internet or redirecting traffic to specific services. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

This is a very poorly written question with answers. It should say D. 10.1.1.101 instead of 10.1.1.100.

Answer CD

Correct answers: C & D.

Agree C and D assuming a typo in D (otherwise maybe CE) The box at the top is misleading since the NAT rules must use the pre-nat IP 1.1.1.100 as dest actual DNAT rules must refer to pre-translated dest address 1.1.1.100 with szone and dzone both = untrust-l3 security rules also use pre-translated dest address 1.1.1.100 and szone untrust-l3 but dzone = DMZ

Shame- I hope to be a typo and actually D - refers to 1.1.1.101, E - means that it opens ssh for the rest of the company, OK maybe cant access from internet but now it have created a ssh open for all the zones of the company where NAT is not quered, this is a very, very, very bad example. Try not to learn from that questions. Sadly if there is no typo, correct is CE

For firewall rules you should use DMZ zone but external IP. For NAT rules - External (untrust) zone and external IP.

I actually got this exact question on my PCNSA.