View all questions & answers for the Palo Alto Networks Network Security Analyst (NetSec-Analyst) Exam Materials exam


Palo Alto Networks Network Security Analyst (NetSec-Analyst) Exam Materials-Question 20 Discussion
Comment Image Comment Image Comment Image

What is the most granular method for ensuring that traffic to a firewall’s public IP address on the public interface is translated to the private IP address of the web server? (Choose one answer)

  • A. Create one NAT policy, set the source address to the public IP address and destination address to the private IP address, and ensure Bi-directional is checked.
  • B. Create one NAT policy, ensure the policy has original packet destination IP as the public IP address and translated packet destination IP as the private IP address, and mark Bi-directional as “Yes.”
  • C. Create one NAT policy, ensure the policy has original packet source IP as the private IP address and the translated packet source IP as the public IP address, and mark Bi-directional as “Yes.”
  • D. Create two static NAT policies, ensure one policy has original packet destination IP as the public IP address and translated packet destination IP as the private IP address, ensure the other policy has original packet source IP as the private IP address and the translated packet source IP as the public IP address.
Correct Answer: B

Brave-Dump Clients Votes

D 100%

Comments



Anonymous User 2026-05-01 19:05:19

Selected Answers: D


correct answer is D
(keyword is "most granular memthod")

While Palo Alto Networks allows for Bi-directional NAT (as seen in options B and C) to simplify configuration, it is effectively a "macro" that creates two rules behind the scenes.

Creating two separate static NAT policies (one for Inbound Destination NAT and one for Outbound Source NAT) is considered more granular because it allows you to define different security parameters, services, or zones for each direction of traffic independently.

Manual dual-policy configuration is often preferred in complex environments where you might want the server to use a specific public IP for outbound updates that differs from its primary inbound NAT, or when you need to apply different logging/translation logic to each flow.

option B always creates an overly permissive NAT policy in the opposite direction, which is not recommended.