- The firewall evaluates the rules in order from the top down - Static NAT rules do not have precedence over other forms of NAT. - Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers. - FW supports NAT also on Vwire interfaces. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview

A and D are true as below: 1. the NAT rules are processed first before the security rules (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0) 2. the NAT rules are processed from top down (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview

So in the actual exam do you pick A or D? Where do these (wrong) answers come from? The actual exam?

Answer is D

Answer is D, but B is also viable!!

Answer is D

D is the most relevent answer and has only one meaning.