Test - Palo Alto Networks Certified Network Security Engineer (PCNSE):

Exam Practice Questions

PCNSE Practice Questions

Question 1 of 60.

Which Virtual Wire Tag Allowed value(s) will allow only untagged traffic to traverse a virtual wire?

 "any"

 1-4094

 0-4094

 0

Mark for follow up

Question 2 of 60.

Given the following routing table: Which nexthop(s) would be added to the forwarding information base (FIB) for the
192.168.93.0/30 network?

 10.66.24.88

 10.66.24.93

 10.66.24.88, 10.66.24.93

 0.0.0.0

Mark for follow up

Question 3 of 60.

A Security Operations Center (SOC) has been provided a list of 10,000 malicious URLs. They were asked not to
share this list outside of the organization. The Chief Information Security Officer has requested that all user access to
these URLs be filtered and blocked immediately to prevent potential breaches. However, the inline Palo Alto
Networks firewall is NOT licensed for URL Filtering. What is an efficient method for blocking access to these URLs?

 Import the URLs to a Custom URL Category and reference the URL Category in a Security policy rule set to
deny.

 Import the URLs to a Dynamic Block List and reference the Dynamic Block List in a Security policy rule set to
deny.
  Submit a Bulk Change Request via the Palo Alto Networks Support Portal containing the list of the URLs,
request that the URLs be categorized as “Malware,” and set the action to "block" for the Malware category in a URL
Filtering profile.

 Use a script to automatically import each URL domain as an FQDN address object.

Mark for follow up

Question 4 of 60.

Which method can be used to verify that the firewall is transmitting packets to the correct destination?

 Verify the contents of the ARP table for the egress interface.

 Collect packet captures from the transmit stage on the firewall.

 Compare the routing table to the FIB table to ensure there are no discrepancies.

 Capture packet in the receive stage on the firewall.

Mark for follow up

Question 5 of 60.

Which mechanism is used to trigger a High Availability (HA) failover in the event the management plane becomes
unresponsive in the active firewall?

 Link Monitoring

 Path Monitoring

 Heartbeat Polling

 SNMP Polling

Mark for follow up

Question 6 of 60.

A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages
are forwarded to a syslog receiver. There are currently 20 PA-5060 firewalls, each of which is configured to forward
syslogs individually. The security engineer wants to leverage their two M-100 appliances to send syslog messages
from a single source and already has deployed one in Panorama mode and the other as a Log Collector. What is the
remaining step in this solution?

 Configure a Syslog Proxy Profile

 Configure Collector Log Forwarding

 Configure a Panorama Log Forwarding Profile

 EnableSyslogAggregation
 Mark for follow up

Question 7 of 60.

A company has decided to install a Palo Alto Networks firewall using VWire interfaces. Because of pre-existing
network configurations, the traffic on the upstream and downstream devices can have 802.1Q tags with the following
values: 5 10 11 12 13 14 15 25 30 - How should the network administrator configure the Tag Allowed field of the
VWire to allow only traffic with 802.1Q tag values of 11, 12, and 14?

 [10-15]

 {11-14}

 11,12,14

 0

Mark for follow up

Question 8 of 60.

Which feature of the Palo Alto Networks firewall was designed to minimize network latency on the data plane?

 Single-Pass Parallel Processing Architecture

 Multi-Pass Packet Stream Processing Engine

 Automated Dynamic Content Update Scheduler

 Standard XML-formatted configuration file

Mark for follow up

Question 9 of 60.

What is the proper method to determine which active sessions on the firewall matched a security rule named "ftp-
out"?

 In the CLI, run the command "show session all filter rule ftp-out".

 Apply the filter "(rule eq ftp-out) and (subtype eq start)" to the traffic logs.

 In the CLI, run the command "show session all filter application ftp".

 Apply the filter "(application eq ftp) and (subtype eq end)" to the traffic logs.

Mark for follow up

Question 10 of 60.
A user is reporting that they cannot download a PDF file from the internet. Which option will show whether the
downloaded file has been blocked by a Security Profile?

 Filter the System log for "Download Failed" messages.

 Filter the Data Filtering logs for the user's traffic and the name of the PDF file.

 Filter the Traffic logs for all traffic from the user that resulted in a deny action.

 Filter the Session Browser for all sessions from the user with the application "adobe".

Mark for follow up

Question 11 of 60.

Which source address translation type will allow multiple devices to share a single translated source address while
using a single NAT Policy rule?

 Static IP

 Bidirectional

 Dynamic IP

 Dynamic IP and Port

Mark for follow up

Question 12 of 60.

Which two techniques become available only after upgrading from a legacy firewall to a Palo Alto Networks next-
generation firewall? (Choose two.)

 Limiting applications to using only their standard port numbers

 Differentiating between traffic for the base Facebook application and traffic using Facebook Chat

 Distinguishing between SSH v1 and SSH v2 in a traffic stream

 Dynamically opening small holes in the firewall to permit FTP data transfers, instead of being required to open
all high port numbers

Mark for follow up

Question 13 of 60.

Which Panorama feature allows for aggregated device logs to be forwarded to an external security information and
event management (SIEM) system?

 Log Forwarding Profile

 Scheduled Log Aggregation and Forwarding

 Device Group Log Forwarding Profiles

  Collector Log Forwarding for Collector Groups

Mark for follow up

Question 14 of 60.

Which GlobalProtect deployment strategy could be leveraged to expand a company's global VPN footprint without
incurring hosting fees for physical equipment?

 GlobalProtect Satellite

 MDM (Mobile Device Manager)

 LSVPN (Large Scale VPN)

 VM-Series for AWS (Amazon Web Services)

Mark for follow up

Question 15 of 60.

Where can the oversubscription rate be adjusted on platforms that support NAT oversubscription?

 IIn the CLI, by using the command set session offload

 In CLI configuration mode, by issuing the command set deviceconfig setting nat reserve-ip with the appropriate
argument

 In the GUI, under Device -> Setup -> Session -> Session Settings

 In the GUI, by selecting the individual rule name and making the adjustment under the Translated Address tab

Mark for follow up

Question 16 of 60.

Which item can be configured with IPv6 addresses on a Palo Alto Networks firewall?

 BGP

 OSPFv3

 RIPv2

 DHCP Server

Mark for follow up

Question 17 of 60.
Which interface type provides support for point-to-point protocol over Ethernet (PPPoE)?

 PPP

 Layer3

 Layer2

 Virtual wire

Mark for follow up

Question 18 of 60.

Which action will allow a firewall administrator to determine which NAT rules have NOT been matched since the last
reboot?

 From the CLI, issue the command show running nat-policy command.

 In the GUI, select the Highlight Unused Rules option under Policies -> NAT.

 From the CLI, issue the command show session all filter nat-rule command.

 From the CLI, issue the command test nat-policy-match against each configured rule.

Mark for follow up

Question 19 of 60.

A Management Profile to allow SSH access has been created and applied to interface ethernet1/1. A security rule
with the action "deny" is applied to packets from "any" source zone to "any" destination zone. What will happen when
someone attempts to initiate an SSH connection to ethernet1/1?

 SSH access to the interface will be denied because intra-zone traffic is denied.

 SSH access to the interface will be allowed because intra-zone traffic is allowed by default.

 SSH access to the interface will be allowed because inter-zone traffic is allowed.

 SSH access to the interface will be allowed because the Management Profile is applied before the Security
policy.

Mark for follow up

Question 20 of 60.

A company is deploying a pair of PA-5060 firewalls in an environment requiring support for asymmetric routing.
Which High Availability (HA) mode best supports this design requirement?

 Active-Active mode

 HA-LiteActive-Passivemode
  Active-Passive mode

 Active-Passive mode with "tcp-reject-non-syn" set to "no"

Mark for follow up

Question 21 of 60.

You are analyzing a specific device group from Panorama and notice there are a very large number of "insufficient-
data" log entries. What is known for certain about the "insufficient-data" in this display? Consider the following data:

 The number of bytes in the extra packets sent in a DoS attack

 The number of bytes sent in packets where the application could not be identified

 The number of bytes sent by hosts attempting to transmit malware

 The number of bytes sent in sessions that were never fully opened with a SYN, SYN- ACK, ACK sequence

Mark for follow up

Question 22 of 60.

Which two external authentication methods can be used with Authentication Profiles in PAN-OS? (Choose two.)

 NTLM

 RADIUS

 LDAP

 RSH

Mark for follow up

Question 23 of 60.

In which scenario would an active/active High Availability (HA) deployment be recommended instead of an
active/passive HA pair?

 There is a need to load balance the traffic on the network.

 There is a need to double the net throughput capacity of the HA pair.

 There is a need for the firewalls to load balance the traffic on the network.

 There is a potential for asymmetric routing to occur.

Mark for follow up

Question 24 of 60.

A Palo Alto Networks firewall has been configured with multiple virtual systems and is administered by multiple
personnel. Several administrators are logged into the firewall and are making configuration changes to separate
virtual systems at the same time. Which option will ensure that no single administrator's changes are interrupted or
undone by another administrator while still allowing all administrators to complete their changes prior to issuing a
commit?

 Each administrator sets a shared configuration lock.

 Each administrator sets a configuration and commit lock for the vsys to which they are making changes.

 One administrator sets a shared configuration lock and each administrator sets a commit lock.

 Each administrator sets a shared commit lock.

Mark for follow up

Question 25 of 60.

A Security policy accepts new FTP traffic sessions between 8:00 a.m. and 5:00 p.m. What happens to an already-
accepted and running FTP session at 5:01 p.m.?

 The session continues to run, because already-accepted sessions are not re- evaluated.

 The session is re-evaluated if the default configuration setting “Rematch all sessions on config policy change” is
enabled.

 The session is re-evaluated to determine whether it is allowed under a different policy rule.

 The session is terminated, and the initiator must establish a new session.

Mark for follow up

Question 26 of 60.

A company uses Active Directory and RADIUS to capture User-ID information and implement user-based policies to
control web access. Many Linux and Mac computers in the environment that do not have IP-address-to-user
mappings. What is the best way to collect user information for those systems?

 Install a Terminal Services agent in the environment

 Load the GlobalProtect client and connect to the company GlobalProtect environment

 Install the User-ID agent on the systems to collect user information

 Use Captive Portal to capture user information

Mark for follow up

Question 27 of 60.
Which statement is true of an OSPFv3 configuration on the Palo Alto Networks firewall?

 It uses IPv4 addresses for the area ID.

 It supports dynamic interfaces such as DHCP.

 It is enabled per-subnet instead of per-link.

 It requires MD5 authentication.

Mark for follow up

Question 28 of 60.

Which technique can be performed by a next-generation firewall, but NOT by a legacy firewall?

 Detecting a mismatched overlapping TCP segment

 Allowing some ICMP echo-reply packets by matching them to ICMP echo-request packets

 Inspecting HTTP data streams to detect instances of the POST method

 Detecting a spoofed IP address

Mark for follow up

Question 29 of 60.

A company has a Palo Alto Networks firewall configured with the following three zones: Internet DMZ Inside. All users
are located on the Inside zone and are using public DNS servers for name resolution. The company hosts a publicly
accessible web application on a server in the DMZ zone. Which NAT rule configuration will allow users on the Inside
zone to access the web application using its public IP address?

 Two zone U-turn NAT

 Explicit No-NAT Policy Rule

 Three zone U-turn NAT

 Bi-directional NAT

Mark for follow up

Question 30 of 60.

A company wants to run their pair of PA-200 firewalls in a High Availability active/passive mode and will be using HA-
Lite. Which capability can be used in this situation?

 Jumbo Frames

 Configuration Sync

 Link Aggregation
  Session Sync

Mark for follow up

Question 31 of 60.

Which component must be configured before a User Activity report can be generated?

 Log Forwarding

 User Identification

 SSLDecryption

 GlobalProtect

Mark for follow up

Question 32 of 60.

Which two functions can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose two.)

 Creating virtual connections out of UDP traffic

 Temporarily allowing an external web server to send inbound packets after an outbound request for a web page

 Checking for suspicious, but technically compliant, protocol behavior

 Inspecting traffic at the application layer

Mark for follow up

Question 33 of 60.

Which Interface Type can be used to manage a firewall via SSH or HTTPS?

 Tap

 Layer3

 Virtual Wire

 Layer2

 HA

Mark for follow up

Question 34 of 60.
A US-CERT notification is published regarding a newly-discovered piece of malware. The infection is spread using
spear phishing e-mails that prompt users to click an HTTP hyperlink, which then downloads the malware. Palo Alto
Networks has just released signatures to detect this malware as a high severity threat and the firewall is configured to
dynamically update to the latest databases automatically. Which component and implementation will detect and
prevent this threat?

 Antivirus profiles applied to outbound security policy rules with action set to block high severity threats

 Zone Protection profiles applied to the external zone with Packet Based Attack Protection with action set to
block high severity threats

 Vulnerability Protection profiles applied to inbound and outbound security policies with action set to block high
severity threats

 Antivirus profiles applied to inbound security policies with action set to block high severity threats

Mark for follow up

Question 35 of 60.

Company employees have been given access to the GlobalProtect Portal at https:// portal.company.com: Assume the
following: The URL portal.company.com resolves to the external interface of the firewall on the company's external
DNS server and to the internal interface of the firewall on the company's internal DNS server. The URL
gateway1.company.com resolves to the external interface of the firewall on the company's external DNS server and
to the internal interface of the firewall on the company's internal DNS server. The DNS entry for gateway1 resolves to
the internal interface of the firewall on the company's internal DNS server. The URL resolves both inside and outside
the network. This Gateway configuration will have which two outcomes? (Choose two.)

 Clients inside the network will NOT be able to connect to the internal gateway Gateway1.

 Clients inside the network will be able to connect to the internal gateway Gateway1.

 Clients outside the network will NOT be able to connect to the external gateway Gateway1.

 Clients outside the network will be able to connect to the external gateway Gateway1.

Mark for follow up

Question 36 of 60.

When would there be a benefit from the creation of a custom application signature?

 When the risk level of a Palo Alto Networks-provided application signature needs to be changed

 When the application can be used to send and receive malware

 When a company wants to know who is watching World Cup soccer matches during work hours

 When the ability of an application to port hop needs to be eliminated

Mark for follow up

Question 37 of 60.

A network administrator needs to view the default action for a specific spyware signature. The administrator follows
the tabs and menus through Objects > Security Profiles > Anti-Spyware, and selects the default Profile. What should
be done next?

 Click the Rules tab and then look for rules with "default" in the Action column.

 The default actions will be displayed in the Action column.

 Nothing more is necessary. The actions already will be displayed with their default values.

 Click the Exceptions tab and then click Show all signatures.

Mark for follow up

Question 38 of 60.

Which feature will control how the firewall handles web servers with expired certificates when decrypting SSL?

 Data Filtering Profile

 Certificate Profile

 Default Trusted Certification Authorities

 Decryption Profile

Mark for follow up

Question 39 of 60.

Which two statements regarding next-generation and legacy firewalls are true? (Choose two)

 A next-generation firewall detects when traffic shifts from “normal” web browsing to a specific web application,
not a more specific protocol.

 A next-generation firewall can decrypt an attached encrypted .ZIP file sent through SMTP; a legacy firewall
cannot.

 Both legacy firewalls and next-generation firewalls can be configured to allow internal users to read, but not
post at, an internet discussion board.

 Both legacy firewalls and next-generation firewalls can reassemble packets in a given HTTP stream that arrive
in an incorrect order.

Mark for follow up

Question 40 of 60.

A client downloads a malicious file from the internet. The Palo Alto firewall has a valid WildFire subscription. The
Security policy rule shown above matches the client HTTP session: Which three actions take place when the
firewall's Content-ID engine detects a virus in the file and the decoder action is set to “block”? (Choose three.)

 The file download is terminated.

 A threat log entry is generated.

 A Data Filtering log entry is generated.

 The file and session information is sent to WildFire.

 A file is received by the client

 The client receives a block page.

Mark for follow up

Question 41 of 60.

The network is experiencing routing problems and the firewall administrator needs to determine the root cause.
Which CLI command should the administrator use to verify routing behavior while watching the current flow of routed
logs?

 show routing fib virtual-router vr1

 less mp-log routed.log

 show routing summary virtual-router vr1

 less follow yes mp-log routed.log

Mark for follow up

Question 42 of 60.

Which is a valid selection in the Actions section of a Security Policy rule?

 Application Default

 Description

 Log at Session Start

 HIP Profiles

Mark for follow up

Question 43 of 60.

Which function resides on the management plane?

 Server response inspection

 Application ID
  Content inspection performed in software

 System logging

Mark for follow up

Question 44 of 60.

A company has a Palo Alto Networks firewall configured with the following three zones: Untrust-L3 DMZ Trust-L3.
The company hosts a publicly accessible web application on a server that resides in the Trust-L3 zone. The web
server is associated with the following IP addresses: Web Server Public IP: 2.2.2.1/24 , Web Server Private IP:
192.168.1.10/24 . The security administrator configures the following two-zone U-Turn NAT rule to allow users using
10.10.1.0/24 on the "Trust-L3" zone to access the web server using its public IP address in the Untrust-L3 zone:
Which statement is true in this situation?

 The traffic will be considered intra-zone based on the translated destination zone.

 A second rule should be created to accommodate the server-to-client flow.

 Source translation is required because the destination address is in the same zone as the source.

 The rule should be made bi-directional to accommodate the server-to-client flow.

Mark for follow up

Question 45 of 60.

Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

 Allow

 Log

 Default

 Alert

Mark for follow up

Question 46 of 60.

Which public key infrastructure component is required to implement SSL Forward Proxy?

 CertificateAuthoritycertificate

 Machine certificate

 Online Certificate Status Protocol

 Certificate signing request

 Mark for follow up

Question 47 of 60.

A Palo Alto Networks firewall is configured with a NAT policy rule that performs the following source translation:
Which filters need to be configured to match traffic originating from 192.168.1.10 in the "Trust-L3" zone to 2.2.2.2 in
the "Untrust-L3" zone in the Transmit stage?

 Filter 1 source 1.1.1.1 destination 2.2.2.2 Filter 2 source 2.2.2.2 destination 1.1.1.1

 Filter 1 source 192.168.1.10 destination 2.2.2.2 Filter 2 source 2.2.2.2 destination 192.168.1.10

 Filter 1 source 192.168.1.10 destination 2.2.2.2 Filter 2 source 1.1.1.1 destination 2.2.2.2

 Filter 1 source 1.1.1.1 destination 192.168.1.10 Filter 2 source 192.168.1.10 destination 1.1.1.1

Mark for follow up

Question 48 of 60.

Which x509 attribute is required for "Forward Trust Certificate" to be enabled?

 CRL Distribution Point

 CertificateAuthority

 OCSP Location

 SubjectAlternateName

Mark for follow up

Question 49 of 60.

Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? (Choose
three.)

 Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server

 Identifying unauthorized applications that attempt to connect over non-standard ports

 Removing from the session table any TCP session without traffic for 3600 seconds

 Recognizing when SSH sessions are using SSH v1 instead of SSH v2

 Validating that UDP port 53 packets are not being used to tunnel data for another protocol

Mark for follow up

Question 50 of 60.
A Palo Alto Networks firewall is being targeted by a DoS attack from the Internet that is creating a flood of bogus TCP
connections to internal servers behind the firewall. This traffic is allowed by security policies, and other than creating
half-open TCP connections, it is indistinguishable from legitimate inbound traffic. Which Zone Protection Profile with
SYN Flood Protection action, when enabled with the correct threshold, would mitigate this attack without dropping
legitimate traffic?

 SYN Cookies applied on the internet-facing zone

 Random Early Drop applied on the internal zone

 SYN Cookies applied on the internal zone

 Random Early Drop applied on the internet-facing zone

Mark for follow up

Question 51 of 60.

A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the
firewall to the client be when doing SSL Decryption?

 2048 bits

 1024 bits

 512 bits

 4096 bits

Mark for follow up

Question 52 of 60.

Which three engines are built into the Single-Pass Parallel Processing Architecture? (Choose three.)

 Content Identification (Content-ID)

 Threat Identification (Threat-ID)

 Group Identification (Group-ID)

 User Identification (User-ID)

 Application Identification (App-ID)

Mark for follow up

Question 53 of 60.

Which CLI command would allow an administrator to assess CPU usage by process on the management plane?

 show system statistics

 show system resources

  show process list

 show running resource monitor

Mark for follow up

Question 54 of 60.

A workstation at a company was infected with malware on September 18, 2014. Palo Alto Networks released an
antivirus signature for that malware on September 17, 2014. The company's firewall is licensed with Threat
Prevention and URL Filtering. The Threat log in the Monitor tab of the firewall shows no indications of traffic related to
the infection. However, the Traffic log shows traffic between the workstation and the command-and-control server.
Given the company's Dynamic Updates configuration: What is the cause of traffic not matching a malware signature?

 The update schedule is set to "download only" and not to "download and install".

 The most recent updates were incremental and not full updates.

 A WildFire subscription is needed to detect malware.

 The infection occurred during the hourly update window when the malware was identified.

Mark for follow up

Question 55 of 60.

American Textile Corporation has acquired Fab Fabric Limited. American Textile uses a SIP-based VoIP phone
system, which has been working well through a Palo Alto Networks firewall. However, integrating Fab Fabric's SIP
phone system into American Textile's network has not been successful. The network security administrator for the
combined company determines that the firewall is the cause of the failed phone system integration. Which action will
disable the Application Level Gateway (ALG) firewall feature for the Fab Fabric phones while not affecting the
American Textile Corporation phone system?

 Disable ALG in the Security policy that matches the traffic to and from the Fab Fabric phones

 Create an application override policy that assigns SIP traffic to a custom application.

 Disable ALG for the "sip" application in the Applications sub-menu of the Objects tab.

 Create an Application Override policy that assigns traffic to and from the Fab Fabric phones to a custom
application

Mark for follow up

Question 56 of 60.

Consider this graphic representation of the Threat Monitor report: What does this report display?
  It displays the Top 12 Threat types over the last 6 hours.

 It display all vulnerabilities found over the past 6 hours.

 It displays accumulated information about all threats.

 It displays the Top 10 Threat types over the last 6 hours.

Mark for follow up

Question 57 of 60.

Each week, a company wants to know the list of employees in the "mgt" group who are the biggest users of network
bandwidth. Assume that the "mgt" group is properly configured on the company's Domain Controller, and that User-ID
also is configured correctly. The firewall administrator starts to create the Custom report shown above: What must the
administrator do or change to complete this Custom report?

 'Application Statistics' must be selected from the 'Database' option.

 'Last 24 Hrs' must be selected from the 'Time Frame' option.

 Explicitly set the 'Sort By' option.

 'Source User' must be selected from the 'Available Columns' option.

Mark for follow up

Question 58 of 60.

Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred in the
last day?

 Monitor->App Scope->Summary

 Monitor->Session Browser

 ACC->Application

 Objects->Applications->web-browsing

Mark for follow up

Question 59 of 60.

A company has a pair of PA-3050s running PAN-OS 6.0.4. Antivirus, Threat Prevention, and URL Filtering Profiles
are in place and properly configured on both inbound and outbound policies. A Security Operation Center (SOC)
engineer starts his shift and faces the traffic logs presented in the screenshot shown above. He notices that the traffic
is being allowed outbound. Which actions should the SOC engineer take to safely allow known but not yet qualified
applications, without disrupting the remaining traffic policies?

 Create Application Override policies after a packet capture to identify the applications that are triggering the
"unknown-tcp". Then create new custom applications for those policies, and add these new policies above the current
policy that allows the traffic.

 Create a policy to deny all traffic inbound or outbound with the application "unknown-tcp". Then place the new
policy above the current policy that allows the traffic.

 Create an Application Override policy after a packet capture to identify the applications that are triggering the
"unknown-tcp". Then create a new custom application, and add this new policy below the current policy that is
blocking the traffic.

 Create a policy to deny only the inbound traffic because "unknown-tcp" happens when a TCP handshake hasn't
occurred properly. Then add this new policy above the current policy that allows the traffic.

Mark for follow up

Question 60 of 60.

Which action will display the NAT policies that are being enforced by the firewall?

 Navigate to the Policies tab in the GUI, select NAT from the configuration tree and check the box marked
"Highlight Unused Rules".

 View the NAT policies currently displayed by the management plane in the GUI.

 From the command line, check the NAT policies loaded on the data plane using the command "show running
nat-policy".

 From the command line, check the status of the NAT pool on the data plane using the command "nat-rule-
ippool".

Mark for follow up

Save / Return LaterSummary