exam questions

Exam PCNSA All Questions

View all questions & answers for the PCNSA exam

Exam PCNSA topic 1 question 233 discussion

Actual exam question from Palo Alto Networks's PCNSA
Question #: 233
Topic #: 1
[All PCNSA Questions]

An administrator is creating a NAT policy.
Which combination of address and zone are used as match conditions? (Choose two.)

  • A. Pre-NAT address
  • B. Pre-NAT zone
  • C. Post-NAT address
  • D. Post-NAT zone
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
yinksho
Highly Voted 2 years, 1 month ago
Selected Answer: AB
A and B is correct. NAT policy rule matches the packet based on the original pre-NAT src and dst address and pre-NAT destination zone.It's security policy that match the packet based on pre-NAT src and dst address and post-Nat zone
upvoted 12 times
...
Aziz132
Most Recent 3 months, 1 week ago
Selected Answer: AD
This is mentioned in the study guide of PCNSA, the answer is pre-NAT IP, post-NAT zone for both SNAT and DNAT.
upvoted 1 times
ALCOSTA35
2 months, 2 weeks ago
Only in Security Policy you have Post-Nat Zone. NAT policy both address and Zones are pre-nat
upvoted 1 times
...
...
cjace
8 months ago
Pre-NAT address (Option A): The original source and destination addresses before NAT is applied1. Pre-NAT zone (Option B): The original source and destination zones before NAT is applied1.
upvoted 2 times
...
hybl2467
8 months, 3 weeks ago
The question is "used as match not to configure", <NAT packets used in the receive stage will have pre-NAT IP addresses, whereas packets at the transmit stage will have post-NAT IP addresses for matching>
upvoted 1 times
hybl2467
8 months, 3 weeks ago
For configuration a Pre-NAT zone and Post-NAT zone
upvoted 1 times
...
...
[Removed]
8 months, 4 weeks ago
Selected Answer: AB
I was wrong, Pre-nat address and post-nat zone is valid for DNAT for common NAT policy the correct answer is Pre-nat zone and Pre-nat address
upvoted 2 times
...
[Removed]
8 months, 4 weeks ago
Selected Answer: AD
Pre-nat address post-nat zone
upvoted 1 times
...
ledesir
9 months ago
Selected Answer: AD
When a packet arrives at the firewall (ingress), the firewall inspects the packet and does a route lookup to determine the destination (egress) interface and zone. Then the firewall determines if the packet matches one of the NAT rules defined based on the source and destination zone and applies the NAT rule. The firewall then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses but the post-NAT zones. Security policies examine post-NAT zones to determine whether the packet is allowed. Because the very nature of NAT is to modify the source or destination IP addresses, which can change the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. pcnsa official trainning material p.213
upvoted 1 times
ledesir
9 months ago
i mean this is for security policies but for NAT policy its pre-NAT address and pre-NAT zones so AB
upvoted 3 times
...
...
[Removed]
10 months, 1 week ago
Selected Answer: BD
B and D seems to be correct. You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can configure matching criteria based on the packet’s destination interface, source and destination address, and service. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
upvoted 1 times
...
afm_
1 year, 2 months ago
Selected Answer: AB
Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
upvoted 1 times
...
mariooiram87
1 year, 2 months ago
Selected Answer: AB
In NAT policies you have to think of everything Pre NAT.
upvoted 2 times
...
claudio392
1 year, 4 months ago
Selected Answer: AD
Policy: Pre-nat Address (A) e Post-nat Zone (D)
upvoted 1 times
...
DlaEdu_Ex
1 year, 6 months ago
Selected Answer: AB
For NAT-Policies we use Pre-NAT zones and Pre-NAT addresses
upvoted 1 times
...
Sanjug2022
1 year, 6 months ago
A & B correct. NAT Policy : Pre-NAT Zone and Pre NAT Address
upvoted 2 times
...
Kalender
1 year, 8 months ago
Selected Answer: BD
Correct answer is clear at first sentence actually. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)
upvoted 3 times
...
cert111
1 year, 8 months ago
Selected Answer: BD
According to Palo Alto documentation, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
upvoted 1 times
...
Ermbmx2
1 year, 8 months ago
Selected Answer: AD
Based on DatITGuyTho1337's Comment and how the question is looking for a combination of Address AND Zone, the answer would have to be pre-NAT address and Post-NAT Zone. As post-NAT address is never used as a matching criteria.
upvoted 2 times
...
madt
1 year, 8 months ago
Selected Answer: AD
A,D are the correct answers
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago