pcnsa question 252 discussion

View all Palo Alto Networks Certified Network Security Administrator here
back to palo-alto-networks forum

Question 252

Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

  • A. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow
  • B. Untrust (Any) to Untrust (10.1.1.1), web-browsing - Allow
  • C. Untrust (Any) to Untrust (10.1.1.1), ssh - Allow
  • D. Untrust (Any) to DMZ (10.1.1.100, 10.1.1.101), ssh, web-browsing - Allow
  • E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow
Answer:

ae

User Votes:
A 3 votes
50%
B 1 votes
50%
C 1 votes
50%
D 2 votes
50%
E 3 votes
50%
Discussions
0 / 1000
sara123
1 month, 3 weeks ago

Based on the information provided in the exhibit, the two Security policy rules that will accomplish the given configuration are:

A. Untrust (Any) to DMZ (1.1.1.100), ssh - Allow
E. Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow

The exhibit shows that the administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Therefore, the two security policy rules required are:

Untrust (Any) to DMZ (1.1.1.100), ssh - Allow, which allows SSH traffic from the Untrust zone to the DMZ zone on the server at 10.1.1.101.
Untrust (Any) to DMZ (1.1.1.100), web-browsing - Allow, which allows web-browsing traffic from the Untrust zone to the DMZ zone on the server at 10.1.1.100.

0