Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)
Which two matching criteria are used when creating a Security policy involving NAT? (Choose two.)
When creating a Security policy involving NAT, the firewall evaluates and applies any security policies based on the original (pre-NAT) source and destination addresses to determine which packets match, but the rules are enforced according to the post-NAT zones, where the packet is ultimately going. This ensures that both the original addresses and the modified zones after NAT translation are appropriately matched and evaluated.
I know that we have had "Pre-NAT IP, Post-NAT zone" drummed into our heads. But...the question is asking, which two "MATCHING CRITERIA" are used when creating a Security policy involving NAT. Go into the WebUI and look for yourself! Only zones are required. NOT addresses! Remember, these exams are as much "reading comprehension" as they are technical knowledge...it's C and D!
A& D https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnsa-study-guide.pdf Question 11
This article reads, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum." So I'm thinking it would be Pre-NAT zone and post-NAT zone, wouldn't it? https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
Pre-NAT IP ;Post-NAT Zone
Pregunta sacada de la guia de Palo Alto y marcan como respuesta Pre-NAT IP, post-NAT zone Q13. Which phrase is a simple way to remember how to configure Security policy rules where NAT was implemented? a. Post-NAT IP, pre-NAT zone b. Post-NAT IP, post-NAT zone c. Pre-NAT IP, post-NAT zone d. Pre-NAT IP, pre-NAT zone
gracias caballero
You only need at least a name, pre-nat zone and post-nat zon
A and D
A and D Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
A & D Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address. Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
C. Pre-NAT zone A. Pre-NAT address These criteria are based on the original (pre-NAT) source and destination addresses1. It’s important to note that the firewall evaluates and applies any security policies that match the packet based on these pre-NAT details
Pre-NAT IP, Post-NAT zone
AB You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can <b>configure matching criteria based on the packet’s destination interface, source and destination address, and service.</b>
Answer : A & B (Security Policy)
Destination zone in Sec Pol is post-NAT (actual zone where packet is supposed to land).