ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 327 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 327
Topic #: 1
[All PCNSE Questions]

A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4.2.2.2 for the IP address of the web server, www.xyz.com. The DNS server returns an address of 172.16.15.1.
In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?

  • A. NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing
  • B. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (192.168.15.47) - Application: Web-browsing
  • C. NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing
  • D. NAT Rule: Untrust-L3 (any) - Untrust-L3 (any) Destination Translation: 192.168.15.1 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by mysteryzjoker at Sept. 29, 2022, 9:49 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
secdaddy
Highly Voted 2 years, 3 months ago
A nat : source untrust (any) dest untrust (172.16.15.1) dtrans 192.168.15.47 security : source untrust (any) dest trust (172.16.15.1) application web-browsing The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). The addresses in the security policy also refer to the IP address in the original packet (that is, the pre-NAT address). However, the destination zone is the zone where the end host is physically connected. In other words, the destination zone in the security rule is determined after the route lookup of the post-NAT destination IP address. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
upvoted 8 times
sujss
1 year, 8 months ago
Could'nt have explained it better, thanks
upvoted 1 times
...
...
Reliic
Most Recent 5 months, 3 weeks ago
Selected Answer: B
Analysis: NAT Rule: A incorrectly places the destination zone as Untrust-L3 for the NAT rule. Since the actual server resides in the Trust-L3 zone (192.168.15.47), the NAT rule should translate the destination IP from Untrust-L3 to Trust-L3. B correctly translates the destination IP address 172.16.15.1 (given by DNS) to 192.168.15.47 and sets the destination zone to Trust-L3, where the web server resides. Security Rule: A uses 172.16.15.1 as the destination IP in the security rule. However, after NAT translation, the destination IP will be 192.168.15.47. This mismatch will result in the traffic being denied because the security rule won't match the translated IP. B uses 192.168.15.47 as the destination IP in the security rule, which matches the post-NAT translated IP, ensuring the rule correctly allows the traffic. Conclusion: Option B correctly sets the NAT rule to translate the external IP to the internal IP within the Trust-L3 zone and uses the correct translated IP in the security rule to allow the traffic. This makes B the correct configuration.
upvoted 1 times
ALCOSTA35
1 month, 2 weeks ago
With all due respect, this is a PCNSA exam. There is a simple rule: NAT Policy, IP, and Zones pre-NAT. Security Policy, IP pre-NAT, and Zone post-NAT. Memorizing this is very helpful not only for the Exams. The answer can only be A.
upvoted 1 times
...
...
VickiF
1 year, 11 months ago
Selected Answer: B
Should be B. Nat is always original source zone/ip and original destination zone/ip. Security policy should be original source zone/ip, original IP, and FINAL destination zone.
upvoted 1 times
sujss
1 year, 8 months ago
Security rule use pre-NAT (original dst) IP which is 172.16.15.1. Hence it should be A not B
upvoted 1 times
...
...
mic_mic
2 years ago
The anser must me non 172.16.15.1 is not a internet routable address :-)
upvoted 2 times
...
confusion
2 years, 2 months ago
Selected Answer: A
A For DNAT, Security rules use pre-NAT IP and post-NAT ZONE.
upvoted 4 times
...
datz
2 years, 3 months ago
Selected Answer: A
ANSWER = A
upvoted 2 times
...
bimyo
2 years, 3 months ago
Selected Answer: A
A is correct here. NATpol uses preNAT zones and SECpol uses postNAT zones and preNAT addresses.
upvoted 2 times
...
mysteryzjoker
2 years, 3 months ago
hmm not sure A is correct. I think B - security policy is post NAT zone and address where packet comes to rest?
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago