An administrator is creating a NAT policy.
Which combination of address and zone are used as match conditions? (Choose two.)
An administrator is creating a NAT policy.
Which combination of address and zone are used as match conditions? (Choose two.)
When creating a NAT policy, the firewall uses the original (pre-NAT) source and destination addresses along with the original (pre-NAT) source and destination zones as match conditions. This means that the correct combination of address and zone used as match conditions in a NAT policy are the pre-NAT address and the pre-NAT zone. Post-NAT addresses and zones come into play later during the routing and security policy evaluation stages, but they are not used as match conditions for the initial NAT policy.
A and B is correct. NAT policy rule matches the packet based on the original pre-NAT src and dst address and pre-NAT destination zone.It's security policy that match the packet based on pre-NAT src and dst address and post-Nat zone
Correct answer is clear at first sentence actually. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)
Pre-NAT address (Option A): The original source and destination addresses before NAT is applied1. Pre-NAT zone (Option B): The original source and destination zones before NAT is applied1.
I was wrong, Pre-nat address and post-nat zone is valid for DNAT for common NAT policy the correct answer is Pre-nat zone and Pre-nat address
In NAT policies you have to think of everything Pre NAT.
A & B correct. NAT Policy : Pre-NAT Zone and Pre NAT Address
Based on DatITGuyTho1337's Comment and how the question is looking for a combination of Address AND Zone, the answer would have to be pre-NAT address and Post-NAT Zone. As post-NAT address is never used as a matching criteria.
I chose "B D" but I think "A D" is correct because of this excerpt: "Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers. Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address." I also just noticed that the question asked for a combination of address and zones so the answer cannot be "BD".
The question is "used as match not to configure", <NAT packets used in the receive stage will have pre-NAT IP addresses, whereas packets at the transmit stage will have post-NAT IP addresses for matching>
For configuration a Pre-NAT zone and Post-NAT zone
Pre-nat address post-nat zone
When a packet arrives at the firewall (ingress), the firewall inspects the packet and does a route lookup to determine the destination (egress) interface and zone. Then the firewall determines if the packet matches one of the NAT rules defined based on the source and destination zone and applies the NAT rule. The firewall then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses but the post-NAT zones. Security policies examine post-NAT zones to determine whether the packet is allowed. Because the very nature of NAT is to modify the source or destination IP addresses, which can change the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. pcnsa official trainning material p.213
i mean this is for security policies but for NAT policy its pre-NAT address and pre-NAT zones so AB
B and D seems to be correct. You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can configure matching criteria based on the packet’s destination interface, source and destination address, and service. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
Policy: Pre-nat Address (A) e Post-nat Zone (D)
For NAT-Policies we use Pre-NAT zones and Pre-NAT addresses
According to Palo Alto documentation, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview
A,D are the correct answers