Exam PCNSA topic 1 question 207 discussion

The answer is B. A is incorrect - no internet access, DST addresses are too strictly definedd; C is incorrect - SRC and DST addresses do not correspond to Zones; D is incorrect - the SRC address does not match the SRC zone.

Answer should be A as the questions asks for the most restrictive but functional rule.

Please, fix this. C has the wrong Source Subnet IP address for the Trust. It is wrong. The only possible answer is B. A only allows traffic to 1.1.1.0/24 instead of all Internet, which would be correct if we use NAT policy, but the question does not mention NAT.

I think the answer B is good but not restrictive, however A could be a better choice as it is more restrictive and if we allow it to the destination address of 1.1.1.0/24 using services "SSL,SSH and web-browsing will it be able to use the internet? if this is a yes then A would be the best answer if not its going to have to be B. please respond anyone.

C has the wring address and mask /12 for the source zones. B does not specify the destination address, so it is functional but it is not restrict. A is the answer because restricts to only the shown subnets.

Correct answer B

Ans should A. As B is functional but not restrictive.

B is the answer for sure

B sure, source is 192 and 172

B sure

B sure

Answer B

"most restrictive, yet fully functional rule" is key word answer should be A (i think)

B is correct

The answer is A because the question is asking for the most restrictive means to access the DMZ and untrust zones from the Guest and Trust zones. In answer A, the rule restricts access to the destination IP address subnet ranges of the DMZ and Untrust zone destination addresses, whereas answer B pretty much says you can connect to any address in the DMZ and Untrust subnets. A is the correct answer.

B is the correct answer. You need to allow traffic to any destination for internet access.

It should be B.