Palo Alto Networks (PANW) Certified Network Security Administrator (PCNSA) Practice Exam

What should a network security engineer do if internal network traffic is not reaching its DMZ destination?

• A. Check the IP configuration of the internal devices
• B. Restart the firewall device
• C. SSH into the device and add a static route
• D. Increase the bandwidth of the internal network

The correct answer is: SSH into the device and add a static route

The correct course of action when internal network traffic is not reaching its DMZ destination is to SSH into the device and add a static route. This situation suggests that there may be a routing issue preventing traffic from successfully navigating from the internal network to the DMZ. By accessing the device through SSH, the network security engineer can examine the current routing table and determine if there is a lack of a valid route to the DMZ for the specific traffic in question. Adding a static route is a critical step because it directs the firewall on how to handle traffic for a specific destination. A static route defines a fixed path for packets to follow, which can help ensure that any internal traffic destined for the DMZ is properly routed. This is especially relevant if dynamic routing protocols are not being utilized or if a specific path is needed for compliance or performance reasons. Checking the IP configuration of the internal devices, while potentially useful, may not resolve the issue if the routing path to the DMZ is not correctly set up. Similarly, restarting the firewall device may be unnecessary and could lead to service disruptions rather than addressing the root cause of the routing issue. Increasing the bandwidth of the internal network does not address routing problems and would not help the traffic reach its intended destination in the