PCNSA · Question #376
PCNSA Question #376: Real Exam Question with Answer & Explanation
The correct answer is A: Interzone. An Interzone rule type in PAN-OS matches traffic where the source zone and destination zone are different. By selecting source zones LAN and VPN and destination zones DMZ and Untrust with an Interzone rule, the firewall will only match cross-zone traffic (e.g., LAN→DMZ, LAN→Untru
Question
An administrator needs to create a Security policy rule that matches DNS traffic sourced from either the LAN or VPN zones, destined for the DMZ or Untrust zones. The administrator does not want to match traffic where the source and destination zones are LAN, and also does not want to match traffic where the source and destination zones are VPN. Which Security policy rule type should they use?
Options
- AInterzone
- BUniversal
- CIntrazone
- DDefault
Explanation
An Interzone rule type in PAN-OS matches traffic where the source zone and destination zone are different. By selecting source zones LAN and VPN and destination zones DMZ and Untrust with an Interzone rule, the firewall will only match cross-zone traffic (e.g., LAN→DMZ, LAN→Untrust, VPN→DMZ, VPN→Untrust). It will NOT match traffic where source and destination are the same zone (LAN→LAN or VPN→VPN), which is exactly what the administrator requires. A Universal rule would also match intrazone combinations, and an Intrazone rule would only match same-zone traffic - both are wrong for this use case.
Topics
Community Discussion
No community discussion yet for this question.