ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSA All Questions

View all questions & answers for the PCNSA exam
Go to Exam

Exam PCNSA topic 1 question 55 discussion

Actual exam question from Palo Alto Networks's PCNSA
Question #: 55
Topic #: 1
[All PCNSA Questions]

A server-admin in the USERS-zone requires SSH-access to all possible servers in all current and future Public Cloud environments. All other required connections have already been enabled between the USERS- and the OUTSIDE-zone. What configuration-changes should the Firewall-admin make?

  • A. Create a custom-service-object called SERVICE-SSH for destination-port-TCP-22. Create a security-rule between zone USERS and OUTSIDE to allow traffic from any source IP-address to any destination IP-address for SERVICE-SSH
  • B. Create a security-rule that allows traffic from zone USERS to OUTSIDE to allow traffic from any source IP-address to any destination IP-address for application SSH
  • C. In addition to option a, a custom-service-object called SERVICE-SSH-RETURN that contains source-port-TCP-22 should be created. A second security-rule is required that allows traffic from zone OUTSIDE to USERS for SERVICE-SSH-RETURN for any source-IP-address to any destination-Ip-address
  • D. In addition to option c, an additional rule from zone OUTSIDE to USERS for application SSH from any source-IP-address to any destination-IP-address is required to allow the return-traffic from the SSH-servers to reach the server-admin
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by LordScorpius at March 22, 2022, 8:40 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Alessandro1986
4 months, 2 weeks ago
I Understand that PA NGFW only manage statefull and due it is not necessary create return rules, then a couple of options are my discards and answer chosed is B option.
upvoted 1 times
...
rt_85
1 year, 3 months ago
None of these are good options, guess I'll go with the group. Why would I allow any-any for ssh instead of something more specific with App-ID for the singular user that needs access.
upvoted 4 times
...
Blender808
1 year, 4 months ago
B ... for far from BEST practise
upvoted 1 times
...
manami
1 year, 11 months ago
not a good question because in the first words it mentions a user not any asthe source user, but in overall B is better tahn the other options!
upvoted 3 times
...
PLO
2 years, 4 months ago
Selected Answer: B
The others are already pre-defined in a way. SSH is already port 22
upvoted 2 times
...
RahulGawale19
2 years, 6 months ago
B is Correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago