Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 604

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

Answer options

• A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.
• B. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.
• C. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.
• D. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

Correct answer: A

Explanation

The correct answer is A because enabling DNS rewrite with the direction Forward allows the firewall to modify the DNS response as intended. Options B and D are incorrect because U-Turn NAT is not necessary for this scenario, and option C is wrong as it uses the direction Reverse, which does not fit the requirement of rewriting the DNS response from the original IP to the translated IP.