Palo Alto Networks Certified Network Security Administrator (PCNSA) — Question 245

How would a Security policy need to be written to allow outbound traffic using Secure Shell (SSH) to destination ports tcp/22 and tcp/4422?

Answer options

• A. The admin creates a custom service object named "tcp-4422" with port tcp/4422. The admin then creates a Security policy allowing application "ssh" and service "tcp-4422".
• B. The admin creates a custom service object named "tcp-4422" with port tcp/4422. The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "application-default".
• C. The admin creates a custom service object named "tcp-4422" with port tcp/4422. The admin also creates a custom service object named "tcp-22" with port tcp/22. The admin then creates a Security policy allowing application "ssh", service "tcp-4422", and service "tcp-22".
• D. The admin creates a Security policy allowing application "ssh" and service "application-default".

Correct answer: C

Explanation

Option C is correct because it specifies the creation of both custom service objects for tcp/22 and tcp/4422, which are needed to allow SSH traffic on both ports. Options A and B do not include the necessary service object for tcp/22, making them insufficient. Option D fails to define the required port services, limiting the policy to application-default only.