ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSA All Questions

View all questions & answers for the PCNSA exam
Go to Exam

Exam PCNSA topic 1 question 235 discussion

Actual exam question from Palo Alto Networks's PCNSA
Question #: 235
Topic #: 1
[All PCNSA Questions]


Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the SERVER zone to the DMZ on SSH only.
Which rule group enables the required traffic?
A.

B.

C.

D.

Show Suggested Answer Hide Answer
Suggested Answer: C
by kvothe86 at Oct. 24, 2022, 9:27 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kvothe86
Highly Voted 2 years, 2 months ago
I can't see the image properly
upvoted 28 times
...
Oslan
Most Recent 2 months ago
Answer A! It cannot be C, since the interlink zone address corresponds to 10.0.10.x, not 172.20.20.x. Answer A is the most accurate. Option B, the first rule already sends directly from the DMZ source to the server, and the correct answer would be DMZ source and Interlink zone destination.
upvoted 2 times
...
Aredus
10 months ago
Answer is C as the firewalls are separated by the interlink zone. Firewall A would not have the Server zone and Firewall B would not have the DMZ zone as they are not connected to the respective firewalls. Therefore C is correct.
upvoted 1 times
...
mariooiram87
1 year, 2 months ago
Answer is A, it can't be B because the rules in that answer do not permit traffic to/from the interlink zone, it is a zone so remember that would be interzone traffic and you need a rule to permit that, the people that say the server zone is defined on the FWs so the answer is B and bla bla bla are not even looking at the diagram...
upvoted 4 times
...
pcnsa_exam_taker
1 year, 2 months ago
I see nothing on the image
upvoted 1 times
...
McMarius11
1 year, 4 months ago
needs more jpeg
upvoted 1 times
...
DatITGuyTho1337
1 year, 9 months ago
B is the correct answer. It is the rule that allows the require traffic between both zones. And yeah you have to zoom in real close at the image as it is very poor quality!!!
upvoted 1 times
drogadotcom
1 year, 9 months ago
I think that B is not correct since FWB might not have Server Zone defined. And since "an interface can belong to only one zone" (PCNSA Study Guide zone section) that means the only zone associated to interlink interface is the Interlink one (and cannot be DMZ/Server). That is why I would say C.
upvoted 4 times
nolox
1 year, 9 months ago
Exactly
upvoted 1 times
...
TheLorenz
1 year, 7 months ago
The server zone is defined on FW B and it shows it in the policies. All it means for an interface can only belong to one zone is you cannot have two zones on the same exact interface, but that doesn't have anything to do with this question as the server zone is already configured on Firewall B and is visible within the policies -- This aspect does not pertain to the question at hand. Further, there's no reason to establish policies for the interlink zone. The firewall will inspect the traffic and permit it, provided there's an allow policy. This process is automatic, without needing specific policies for the interlink zone.
upvoted 1 times
...
...
...
itkare
1 year, 9 months ago
B is correct Option C does not have the rule to allow Server>DMZ zone traffic on SSH
upvoted 2 times
...
khaled_ellaboudy
1 year, 11 months ago
C is correct as the packet keep same sorce and destination addresses intact so the rules should be configured accordingly
upvoted 3 times
nolox
1 year, 9 months ago
Correct
upvoted 1 times
...
...
homersimpson
2 years, 2 months ago
Graphics are way low res.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago