nerdexam
Palo_Alto_Networks

NETSEC-GENERALIST · Question #2

At a minimum, which action must be taken to ensure traffic coming from outside an organization to the DMZ can access the DMZ zone for a company using private IP address space?

This question tests how Palo Alto Networks firewalls evaluate security policies in relation to NAT, specifically for inbound traffic destined for a private-addressed DMZ. The key principle is that PAN-OS matches security policies against pre-NAT IP addresses but uses the post-NAT

Network Address Translation (NAT) Configuration

Question

At a minimum, which action must be taken to ensure traffic coming from outside an organization to the DMZ can access the DMZ zone for a company using private IP address space?

Options

  • AConfigure static NAT for all incoming traffic.
  • BCreate NAT policies on post-NAT addresses for all traffic destined for DMZ.
  • CConfigure NAT policies on the pre-NAT addresses and post-NAT zone.
  • DCreate policies only for pre-NAT addresses and any destination zone.

Why each option

This question tests how Palo Alto Networks firewalls evaluate security policies in relation to NAT, specifically for inbound traffic destined for a private-addressed DMZ. The key principle is that PAN-OS matches security policies against pre-NAT IP addresses but uses the post-NAT destination zone.

AConfigure static NAT for all incoming traffic.

Configuring static NAT alone is insufficient because NAT policies only handle address translation - a matching security policy must also exist to permit the traffic through the firewall.

BCreate NAT policies on post-NAT addresses for all traffic destined for DMZ.

PAN-OS security policies are matched against pre-NAT addresses, not post-NAT addresses; referencing post-NAT addresses in the security policy would cause a policy miss and traffic would be denied.

CConfigure NAT policies on the pre-NAT addresses and post-NAT zone.
DCreate policies only for pre-NAT addresses and any destination zone.

Using 'any' for the destination zone is not the minimum correct configuration - the destination zone must be the post-NAT zone (the DMZ zone) to accurately match inbound traffic after address translation occurs.

Concept tested: PAN-OS NAT policy pre-NAT address and post-NAT zone matching

Source: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/create-a-nat-rule

Topics

#NAT#Destination NAT#DMZ#Firewall Policies

Community Discussion

No community discussion yet for this question.

Full NETSEC-GENERALIST Practice