ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 542 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 542
Topic #: 1
[All PCNSE Questions]

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



  • A. Change destination NAT zone to Trust_L3.
  • B. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address.
  • C. Change Source NAT zone to Untrust_L3.
  • D. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by mercysayno765 at June 12, 2023, 1:57 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Pochex
Highly Voted 1 year, 5 months ago
D is correct, review the example of the U-turn NAT for Hosts and Web Servers in the Same Zone, refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
upvoted 6 times
...
NullNull88
Most Recent 3 months, 2 weeks ago
Selected Answer: D
This whole setup is absolute bonkers but OK,. They're on the same subnet,..
upvoted 1 times
...
Marshpillowz
10 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
Andromeda1800
12 months ago
Selected Answer: D
U-NAT for the same zone requires source address translation as well.
upvoted 4 times
Andromeda1800
12 months ago
To expand my vote, if there wouldn't be source address translation we'd have two issues... 1. reply from server would be directly to the client and not through the firewall which is asymmetry 2. Client would reject server's response since source address of the response would be web server's private ip address and not the public address. Clients usually reject responses from source address which were not destination address in their request.
upvoted 4 times
...
...
carson1998
1 year, 4 months ago
Lol - Both of these devices are on the same L2 segment. The traffic between these devices would not go above the switch. But I guess D is correct.
upvoted 3 times
regnojispi
1 year, 1 month ago
Actually no - The switch does not know this is going to the NATted address yet so it would forward it out to the FW.
upvoted 2 times
...
...
sov4
1 year, 4 months ago
Selected Answer: D
D. this on on the exam... July 2023
upvoted 3 times
...
[Removed]
1 year, 5 months ago
Selected Answer: D
Adding my vote to D. Same zone U-turn NAT needs source NAT.
upvoted 3 times
...
[Removed]
1 year, 5 months ago
D https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
upvoted 3 times
...
mercysayno765
1 year, 5 months ago
I think D is correct https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel