Exam PCNSE topic 1 question 254 discussion

Common guys? "Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?" which tool is used to review policy creation and also can verify that Unwanted traffic is not allowed? how on earth Test Policy will tell you what unwanted trafffic will be allowed? :/ I am going for A :)

I think D is the best answer https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/test-policy-rule-traffic-matches

You test before adding the rule. Preview Changes only compares the candidate config with the running.

This is a poorly worded question, but the answer is D - test policy match. Goal here to use a tool to verify that you already have a “deny” rule . Test policy match check the current config for the unwanted traffic. There should be a deny or you need to add another rule. Test policy match source ( bad guy) destination (Crown Jewels) action = deny…..

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. If you add a policy to device groups for firewall 2 and 3, you can use Preview changes to ensure that that policy is not going to be applied to FW1 and allow unwanted traffic. Preview Changes will verify your "policy creation logic" - i.e. If I create a policy in this device group it will not be applied to these firewalls.

Answer D https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/test-policy-rule-traffic-matches

"policies that will be deployed" means candidate configuration. and test policy match works on running configuration. so I'm going with A, which I think should be the "preview rule" feature which is on Panorama.

"policies that will be deployed" means candidate configuration. and test policy match works on running configuration. so I'm going with A, which I think should be the "preview rule" feature which is on Panorama.

A is correct. Question is about policies that havent been deployed yet. Test policy match the policies that have already been deployed.

Say check the logic Option D

D for me

Answer is A. Preview Changes asks the firewall to compare the configurations you selected in the Commit Scope to the running configuration. The answer is not Test Policy Match, which tests policy rules in your running configuration. Preview Changes is pre-commit, Test Policy Match is post-commit.

preview (before) commit and review ( after commit). and the question is " ..........administrator use to review the policy creation and verify that unwanted traffic is not allowed". this similar to question # 1

The correct option is D Test Policy Match

The question doesn´t say "preview", it says "review". It could involve rules already deployed, som answer D. Answer A doesn't show if a specific traffic is allowed or not

Preview will only show the changes, which is not enough to determine if traffic will be allowed or denied. This is a collective result of all the rules old and new. I think D is the most acceptable answer for this poorly worded question.

Test policy match works after commiting the config, so you belowed up the network then you want to check it!!!