Free Palo Alto Networks Cybersecurity-Apprentice Actual Exam Questions - Question 13 Discussion
from a trusted partner's IP range (192.168.10.0/24) to access the organization's web server on port 443
securely. At the same time, you must block all other traffic from untrusted external sources to the web
server. Which two actions correctly configure the firewall rules to meet the requirements? (Choose two)
B definitely, since it targets the trusted IP range and port 443 specifically. C makes sense too to block everything else from untrusted sources, keeping the access tight and secure.
It’s definitely B and C again for me. Allowing only that specific IP range to port 443 keeps the access tight and secure, while the deny-all rule makes sure nothing else slips in. A and D don’t really fit because port 80 isn’t part of the requirement, and SSL decryption isn’t necessary just to allow or block traffic. E’s about NAT, which isn’t mentioned or required here. So sticking with B and C covers both allowing the right traffic and blocking everything else effectively.
It’s B and C. Allowing only the partner’s IP range on port 443 keeps it tight, and having a default deny rule ensures no other traffic sneaks through. The rest don’t directly address the secure, limited access goal.
Better to rule out A and D here. Port 80 isn’t needed since the question only mentions secure access on 443, so enabling port 80 from all external IPs contradicts the “block all other traffic” part. SSL decryption (D) might be useful but isn’t a must-have to meet the core requirement of allowing trusted IPs and blocking others. B allows the trusted partner’s range explicitly on 443, and C ensures no other untrusted traffic sneaks through, so those two fit best.
B imo, since it explicitly allows the partner’s IP range on 443.
Maybe C is key since a deny-all rule after the allow is standard practice. Also, B makes sense because it specifically allows the partner’s IP range on port 443, which fits the requirement perfectly.
B and C