Question 474 of 516
Deploy and Configure FirewallshardMultiple SelectObjective-mapped

Quick Answer

The correct choices are the rule allowing outbound HTTPS using the ssl application from internal users to any destination, and the rule permitting inbound SMTP from any external source to the specific mail server IP. These two rules satisfy all three requirements because the first uses application-based policy to match HTTPS traffic (via the ssl application) for outbound web access, while the second explicitly allows only SMTP inbound to the mail server, implicitly blocking all other inbound traffic by default. On the Palo Alto Networks PCNSE exam, this tests your understanding of application-ID versus service-based rules and the importance of specifying source and destination zones correctly for branch office security rules. A common trap is confusing the ssl application with the service tcp/443; remember that Palo Alto Networks recommends application-based rules for outbound HTTPS and service-based rules only when explicitly required. Memory tip: outbound web uses the app, inbound mail uses the service.

PCNSE Deploy and Configure Firewalls Practice Question

This PCNSE practice question tests your understanding of deploy and configure firewalls. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security engineer is deploying a Palo Alto Networks firewall in a branch office. The firewall must enforce the following security policies: (1) Allow outbound HTTPS traffic from internal users to the internet. (2) Block all inbound traffic from the internet to the internal network except for SMTP traffic to a specific mail server. (3) Allow outbound DNS traffic from internal DNS servers to external DNS servers. Which TWO security rules should the engineer create to satisfy these requirements? (Choose two.)

Question 1hardmulti select
Read the full DNS explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Rule: from internal to external, source internal-users, destination any, application ssl, service application-default, action allow.

Option B is correct because it uses the 'ssl' application to match HTTPS traffic, which is the proper application-based method for allowing outbound HTTPS. This rule specifies the source as 'internal-users' and destination as 'any', with the action 'allow', meeting requirement (1) without over-permitting. Option C is correct because it creates a rule from 'external' to 'internal', targeting the mail server IP with application 'smtp' and service 'application-default', which blocks all inbound traffic except SMTP to that specific server, satisfying requirement (2).

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Rule: from internal to external, source any, destination any, application any, service tcp/443, action allow.

    Why it's wrong here

    Using service instead of application may allow non-HTTPS traffic on port 443.

  • Rule: from internal to external, source internal-users, destination any, application ssl, service application-default, action allow.

    Why this is correct

    Correctly allows HTTPS with application-based control.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Rule: from external to internal, source any, destination mail-server-ip, application smtp, service application-default, action allow.

    Why this is correct

    Correctly allows inbound SMTP only to the mail server.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Rule: from internal to external, source any, destination any, application any, service any, action allow.

    Why it's wrong here

    Overly permissive; allows all outbound traffic.

  • Rule: from internal to external, source any, destination any, application web-browsing, service application-default, action allow.

    Why it's wrong here

    Allows all web-browsing including HTTP, but requirement is only HTTPS.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse 'web-browsing' (HTTP) with 'ssl' (HTTPS) or rely on port-based rules (service tcp/443) instead of application-based rules, which Palo Alto emphasizes for proper security policy enforcement.

Detailed technical explanation

How to think about this question

Palo Alto Networks firewalls use App-ID to identify traffic based on application signatures, not just port numbers; for HTTPS, the 'ssl' application is the correct match, while 'web-browsing' is for HTTP. The 'service application-default' setting ensures the firewall only allows the default port for the application (e.g., TCP/443 for SSL), providing both application and port-level control. In a real-world scenario, using application-based rules prevents attackers from hiding malicious traffic on standard ports, such as using port 443 for non-SSL applications.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCNSE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCNSE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCNSE question test?

Deploy and Configure Firewalls — This question tests Deploy and Configure Firewalls — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Rule: from internal to external, source internal-users, destination any, application ssl, service application-default, action allow. — Option B is correct because it uses the 'ssl' application to match HTTPS traffic, which is the proper application-based method for allowing outbound HTTPS. This rule specifies the source as 'internal-users' and destination as 'any', with the action 'allow', meeting requirement (1) without over-permitting. Option C is correct because it creates a rule from 'external' to 'internal', targeting the mail server IP with application 'smtp' and service 'application-default', which blocks all inbound traffic except SMTP to that specific server, satisfying requirement (2).

What should I do if I get this PCNSE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCNSE practice question is part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNSE exam.