Exam PCNSE topic 1 question 407 discussion

We should use source NAT for the Trust zone in this case. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat

Why not A ? This is the specific source ip

The question calls for source NAT, ie make the request appear to come from 172.16.15.1, so D is the only correct option (B describes destination NAT)

It is D and not C because the translation you want to perform won't be of the destination, but of the source of the request. So that when you get to the SSH server (which was your original destination from beggining to end) it sees that the origin of the request was the 172.16.15.1 that it is expecting. Without source NAT translation, the source IP would be 192.168.15.47 and the server would reject it.

Answer is D

Answer is D As the server only allows packets coming from IP 172.16.15.1, then Source NAT should be used. If we go for option B, then the source will remain with the original IP, which is 192.168.15.47 and the server won't allow those packets.

So here's why it's not B: Security Policies should have pre-NAT IPs and post-NAT Zones (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview). For B to be correct (which it could have been, mind) the pre-NAT IP in the Security Policy's destination IP should've been 192.168.15.1. This leaves D as the only correct answer.

explanation : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

in NAT the source and dest are the same(source)

This video helps explain why: https://www.youtube.com/watch?v=Ahrao6kBg8w

It will be source NAT

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/source-and-destination-nat-example the example is here

Correct answer is B In NAT source zone and destination is Trust In policy rule, source is Trust and destination Server

Correct answer is D SNAT => source zone (pre-nat): TRUST , dest zone (pre-nat) : SERVER Policy => source zone (pre-nat): TRUST , dest zone (post-nat) : SERVER

Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address. Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone.

Everyone is saying D, but I am pretty sure it's B. The NAT rule for Source NAT is to use pre zones, so Trust/Trust, where as for the security rule, its Post Zone, Trust/Server.

D S-NAT is what we're looking for here