The question requires identifying the security policy rule that matches FTP traffic from the inside zone to the outside zone. The firewall evaluates rules from top to bottom. The rule named engress outside is the first rule in the list that matches the required traffic flow criteria:

Source Zone (from): inside

Destination Zone (to): outside

Application: any (which includes FTP)

Service: application-default (which allows the firewall to identify applications on their standard ports, including FTP)

This combination ensures that FTP traffic originating from the inside zone and destined for the outside zone will be matched and processed by this rule.

A. internal-inside-dmz: This rule's destination zone is dmz, not outside, so it will not match the specified traffic flow.

C. inside-portal: This rule's destination zone is also dmz, not outside, and therefore does not match the traffic.

D. intercone-default: This is an intrazone rule for traffic where both the source and destination zone are inside.

1. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2 (2021). "Security Policy." In the section "Components of a Security Policy Rule

" the guide specifies that traffic is matched based on criteria including Source Zone and Destination Zone. The engress outside rule is the only one with the correct from (inside) and to (outside) zones.

2. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2 (2021). "Security Policy." The section "Security Policy Rule Optimization" explains that the firewall evaluates rules in order (top-down) and applies the first rule that matches the traffic.

3. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2 (2021). "Objects > Services." The documentation explains that the application-default service keyword allows the firewall to use the standard ports associated with the application identified by App-ID

which would include the standard ports for FTP.