Exam PCNSA topic 1 question 299 discussion

I know that we have had "Pre-NAT IP, Post-NAT zone" drummed into our heads. But...the question is asking, which two "MATCHING CRITERIA" are used when creating a Security policy involving NAT. Go into the WebUI and look for yourself! Only zones are required. NOT addresses! Remember, these exams are as much "reading comprehension" as they are technical knowledge...it's C and D!

A& D https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf Question 11

CD is correct

Answer is A & D

these should be the correct ones.

C. Pre-NAT zone A. Pre-NAT address These criteria are based on the original (pre-NAT) source and destination addresses1. It’s important to note that the firewall evaluates and applies any security policies that match the packet based on these pre-NAT details

You only need at least a name, pre-nat zone and post-nat zon

Pre-NAT IP, Post-NAT zone

A and D

This article reads, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum." So I'm thinking it would be Pre-NAT zone and post-NAT zone, wouldn't it? https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview

Pregunta sacada de la guia de Palo Alto y marcan como respuesta Pre-NAT IP, post-NAT zone Q13. Which phrase is a simple way to remember how to configure Security policy rules where NAT was implemented? a. Post-NAT IP, pre-NAT zone b. Post-NAT IP, post-NAT zone c. Pre-NAT IP, post-NAT zone d. Pre-NAT IP, pre-NAT zone

A and D Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview

AB You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can <b>configure matching criteria based on the packet’s destination interface, source and destination address, and service.</b>

A & D Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address. Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview

Pre-NAT IP ;Post-NAT Zone

Answer : A & B (Security Policy)