Palo Alto Networks Exam PCNSE Topic 14 Question 80 Discussion

Actual exam question for Palo Alto Networks's PCNSE exam

Question #: 80
Topic #: 14

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

ACreate a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

BEnable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

CEnable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

DCreate a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Show Suggested Answer

Suggested Answer: B

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb

by Dorothy at Jan 25, 2024, 12:07 AM

Limited Time Offer

25%

Off

Get Premium PCNSE Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Delmy

11 months ago

Okay, I can see that. But why do we need a U-Turn NAT for this scenario? Wouldn't that just complicate things unnecessarily?

upvoted 0 times

...

Romana

11 months ago

Yeah, I agree with Lemuel. The key is to have the DNS rewrite in the Translated Packet section, and the direction should be Reverse since we're translating the response, not the original request.

upvoted 0 times

...

Lemuel

11 months ago

I think option C is the way to go here. We need to enable DNS rewrite in the Translated Packet section with the direction set to Reverse.

upvoted 0 times

...

Chi

11 months ago

Hmm, this question seems tricky. We need to make sure the firewall is correctly rewriting the DNS response based on the NAT rule.

upvoted 0 times

Huey

10 months ago

C) Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

upvoted 0 times

...

Ammie

10 months ago

B) Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

upvoted 0 times

...