Palo Alto Networks NGFW Engineer — Question 62

An administrator configures a GlobalProtect gateway with split tunneling for network traffic based on an access route. Users report that public web browsing works, but they cannot resolve the names of internal servers. The administrator determines that all DNS queries are being sent to the public DNS servers configured on the users' endpoints.

Which GlobalProtect portal setting should be configured to resolve this issue?

Answer options

• A. Split tunneling for DNS and specify the internal corporate domains in the "Domain" list
• B. DNS Proxy feature on the firewall to point clients to the gateway IP for DNS
• C. "DNS Forwarding" option on the gateway's tunnel interface
• D. NAT rule to allow DNS traffic from the GlobalProtect clients to the internal DNS servers

Correct answer: A

Explanation

The correct answer is A because enabling split tunneling for DNS allows DNS queries for specified internal domains to be resolved correctly. Options B and C do not address the issue of directing DNS queries to the internal servers, while D involves NAT rules which are unnecessary when split tunneling for DNS is properly configured.