PCNSE · Question #191
PCNSE Question #191: Real Exam Question with Answer & Explanation
The correct answer is C: Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow. In PAN-OS, security policies evaluate the source zone as the pre-NAT zone (Untrust) but the destination zone as the post-NAT zone (DMZ, after DNAT has translated the destination). The destination IP address in the security policy uses the pre-NAT public IP (10.1.1.1), not the tra
Question
Refer to the exhibit. An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)
Options
- AUntrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
- BUntrust (Any) to Untrust (10.1.1.1), ssh -Allow
- CUntrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
- DUntrust (Any) to DMZ (10.1.1.1), ssh -Allow
- EUntrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
Explanation
In PAN-OS, security policies evaluate the source zone as the pre-NAT zone (Untrust) but the destination zone as the post-NAT zone (DMZ, after DNAT has translated the destination). The destination IP address in the security policy uses the pre-NAT public IP (10.1.1.1), not the translated private IPs. Therefore, the correct rules reference the DMZ zone (post-NAT) with the public IP 10.1.1.1 (pre-NAT address): one rule for web-browsing (routed to Host A) and one for SSH (routed to Host B). Options A and B are incorrect because they reference the Untrust zone as the destination, which is wrong for post-NAT zone matching.
Topics
Community Discussion
No community discussion yet for this question.