Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 465

A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

Answer options

• A. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32. 2. Check the box for negate option to negate this IP from the NAT translation.
• B. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23. 2. Check the box for negate option to negate this IP subnet from NAT translation.
• C. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3. Place (NAT-Rule-2) above (NAT-Rule-1).
• D. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3. Place (NAT-Rule-1) above (NAT-Rule-2).

Correct answer: C

Explanation

The correct answer is C because it effectively creates a NAT rule for the entire subnet while ensuring that the specific server (10.0.0.10) remains unaffected by the NAT translation by placing its rule above the general one. Options A and B do not correctly address the requirement to keep the server from being translated, and option D incorrectly prioritizes the broader NAT rule over the specific exclusion, which would lead to the server being translated.