Exam PCNSE topic 1 question 84 discussion

C is the correct answer. Remember for Security Policy lookup, the firewall uses Pre-NAT IP and Post-NAT Zone. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview.html

In this scenario, Destination NAT (DNAT) is used to map the public IP address 1.1.1.100 (which is in the Untrust zone) to the private IP address 10.1.1.100 (which is in the DMZ zone). This allows external traffic destined for 1.1.1.100 to be forwarded to the web server at 10.1.1.100. To allow traffic to flow correctly, the security policy must allow the traffic to enter the DMZ zone using the 1.1.1.100 address, as the NAT process will map this public IP to the internal server.

D is the correct answer. the question is about security policy and the destination is 10.1.1.100

Answer is C

Answer should B

Should that not be D based on https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-with-port-translation-example#id053beeb9-fde0-445b-99d0-5dd5a1000b7c ?

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview

C. because security policy is pre-NAT IP + post-NAT ZONE.

C is correct. I got this question on the PCNSA, and so I wouldn't expect to see it on the PCNSE.

I believe the correct answer is 'B' Since this is DNAT setup, rule for security policy is: PRE-NAT addresses, POST-NAT zone. PCNSA study guide PAN OS 10.0, p.111

Correct Answer https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping