PCNSE · Question #316
PCNSE Question #316: Real Exam Question with Answer & Explanation
The correct answer is D: ethernet1/3. Option D is correct because when a Palo Alto firewall receives traffic on ethernet1/6 from 192.168.111.3 destined for 10.46.41.113, it performs a route lookup in the virtual router's routing table (or evaluates any Policy-Based Forwarding rules active at that time), and the longe
Question
What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?
Options
- Aethernet1/7
- Bethernet1/5
- Cethernet1/6
- Dethernet1/3
Explanation
Option D is correct because when a Palo Alto firewall receives traffic on ethernet1/6 from 192.168.111.3 destined for 10.46.41.113, it performs a route lookup in the virtual router's routing table (or evaluates any Policy-Based Forwarding rules active at that time), and the longest-prefix match for 10.46.41.113 resolves to a next-hop reachable via ethernet1/3.
Why the distractors are wrong:
- A (ethernet1/7) and B (ethernet1/5) are other valid interfaces on the firewall but do not match the route entry for the 10.46.41.x subnet shown in the image - their associated routes cover different destination prefixes.
- C (ethernet1/6) is the ingress interface; while same-interface egress is theoretically possible, the routing table in the image points outbound traffic for this destination to ethernet1/3, making C a classic trap for test-takers who confuse source zone with destination zone.
Memory tip: On Palo Alto exams, always focus on the destination IP to determine egress - the firewall does a longest-prefix match in the routing table, not based on where traffic came from. If the image shows a routing table, find the most specific route (longest mask) that matches the destination; the interface listed on that route entry is your answer.
Topics
Community Discussion
No community discussion yet for this question.