Exam PCNSE topic 1 question 254 discussion

Common guys? "Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?" which tool is used to review policy creation and also can verify that Unwanted traffic is not allowed? how on earth Test Policy will tell you what unwanted trafffic will be allowed? :/ I am going for A :)

test policy match

D is right

Forget the exam, at work whenever I create a policy I always verify/test policy match before telling the customer to test.

Test policy won't work on rules that aren't committed yet.

The question was terribly written. He wanted to know how I can ensure that the policies go to the intended Device group in the hierarchy.

Test the policy rules in your running configuration to ensure that your policies appropriately allow and deny traffic and access to applications and websites in compliance with your business needs and requirements. You can test and verify that your policy rules are allowing and denying the correct traffic by executing policy match tests for your firewalls directly from the web interface.

Policy Optimizer is the only option out of the 4 that displays the rules in comprehensive order of the policy

I think D is the best answer https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/test-policy-rule-traffic-matches

You test before adding the rule. Preview Changes only compares the candidate config with the running.

This is a poorly worded question, but the answer is D - test policy match. Goal here to use a tool to verify that you already have a “deny” rule . Test policy match check the current config for the unwanted traffic. There should be a deny or you need to add another rule. Test policy match source ( bad guy) destination (Crown Jewels) action = deny…..

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. If you add a policy to device groups for firewall 2 and 3, you can use Preview changes to ensure that that policy is not going to be applied to FW1 and allow unwanted traffic. Preview Changes will verify your "policy creation logic" - i.e. If I create a policy in this device group it will not be applied to these firewalls.

Answer D https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/test-policy-rule-traffic-matches

"policies that will be deployed" means candidate configuration. and test policy match works on running configuration. so I'm going with A, which I think should be the "preview rule" feature which is on Panorama.

"policies that will be deployed" means candidate configuration. and test policy match works on running configuration. so I'm going with A, which I think should be the "preview rule" feature which is on Panorama.

A is correct. Question is about policies that havent been deployed yet. Test policy match the policies that have already been deployed.

Say check the logic Option D