A and B is correct. NAT policy rule matches the packet based on the original pre-NAT src and dst address and pre-NAT destination zone.It's security policy that match the packet based on pre-NAT src and dst address and post-Nat zone
Pre-NAT address (Option A): The original source and destination addresses before NAT is applied1.
Pre-NAT zone (Option B): The original source and destination zones before NAT is applied1.
The question is "used as match not to configure", <NAT packets used in the receive stage will have pre-NAT IP addresses, whereas packets at the transmit stage will have post-NAT IP addresses for matching>
When a packet arrives at the firewall (ingress), the firewall inspects the
packet and does a route lookup to determine the destination (egress) interface and zone. Then the firewall
determines if the packet matches one of the NAT rules defined based on the source and destination zone and
applies the NAT rule. The firewall then evaluates and applies any security policies that match the packet
based on the original (pre-NAT) source and destination addresses but the post-NAT zones. Security policies
examine post-NAT zones to determine whether the packet is allowed. Because the very nature of NAT is to
modify the source or destination IP addresses, which can change the packet’s outgoing interface and zone,
security policies are enforced on the post-NAT zone.
pcnsa official trainning material p.213
B and D seems to be correct.
You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can configure matching criteria based on the packet’s destination interface, source and destination address, and service.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
Correct answer is clear at first sentence actually.
(https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)
According to Palo Alto documentation, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
Based on DatITGuyTho1337's Comment and how the question is looking for a combination of Address AND Zone, the answer would have to be pre-NAT address and Post-NAT Zone. As post-NAT address is never used as a matching criteria.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
yinksho
Highly Voted 2 years, 1 month agoAziz132
Most Recent 3 months, 1 week agoALCOSTA35
2 months, 2 weeks agocjace
8 months agohybl2467
8 months, 3 weeks agohybl2467
8 months, 3 weeks ago[Removed]
8 months, 4 weeks ago[Removed]
8 months, 4 weeks agoledesir
9 months agoledesir
9 months ago[Removed]
10 months, 1 week agoafm_
1 year, 2 months agomariooiram87
1 year, 2 months agoclaudio392
1 year, 4 months agoDlaEdu_Ex
1 year, 6 months agoSanjug2022
1 year, 6 months agoKalender
1 year, 8 months agocert111
1 year, 8 months agoErmbmx2
1 year, 8 months agomadt
1 year, 8 months ago