Palo Alto Networks Certified Network Security Administrator (PCNSA) — Question 228

If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?

Answer options

• A. Source Zone: Trusted - Destination Zone: DMZ - Services: SSH - Applications: Any - Action: Allow
• B. Source Zone: Trusted - Destination Zone: DMZ - Services: Application-Default - Applications: SSH - Action: Allow
• C. Source Zone: Trusted - Destination Zone: DMZ - Services: Application-Default - Applications: SSH - Action: Deny
• D. Source Zone: Trusted - Destination Zone: DMZ - Services: SSH - Applications: Any - Action: Deny

Correct answer: B

Explanation

The correct answer is B because it specifies Application-Default for services and SSH for applications, which is appropriate for allowing SFTP traffic. Option A allows all applications, which is too broad, while options C and D deny traffic, which is not the desired outcome.