A network engineer is configuring a new PA-220 firewall. They need to allow HTTP traffic from the 'trust' zone to the 'untrust' zone. However, the traffic is being dropped. A packet capture shows that the SYN packet is received but no SYN-ACK is sent. What is the most likely cause?
Trap 1: There is no NAT policy to translate the source IP.
Without NAT, the packet would still be forwarded.
Trap 2: The firewall is not configured to inspect HTTP traffic.
Inspection occurs after the session is established.
Trap 3: The security policy does not have an allow rule for HTTP.
If no allow rule, the SYN would be dropped with a deny reason.
- A
There is no NAT policy to translate the source IP.
Why wrong: Without NAT, the packet would still be forwarded.
- B
The destination IP is not reachable from the firewall.
If the firewall cannot route to the destination, it will drop the SYN.
- C
The firewall is not configured to inspect HTTP traffic.
Why wrong: Inspection occurs after the session is established.
- D
The security policy does not have an allow rule for HTTP.
Why wrong: If no allow rule, the SYN would be dropped with a deny reason.