The Answer is C. PsvdK's link explains it: Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. If you want to apply QoS treatment to traffic based on source, you must specify the pre-NAT source address (such as pre-NAT source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination zone) in a QoS policy rule. Do not configure the QoS policy with the post-NAT source address if you want to apply QoS treatment for the source traffic.

Check STEP 3 in the below link: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/configure-qos Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. If you want to apply QoS treatment to traffic based on source, you must specify the pre-NAT source address (such as pre-NAT source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination zone) in a QoS policy rule. Do not configure the QoS policy with the post-NAT source address if you want to apply QoS treatment for the source traffic.

Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. If you want to apply QoS treatment to traffic based on source, you must specify the pre-NAT source address (such as pre-NAT source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination zone) in a QoS policy rule. Do not configure the QoS policy with the post-NAT source address if you want to apply QoS treatment for the source traffic. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos

i tested this scenario in lab and i can see the hits only on the qos policy when we use pre-nat source address . even validated the same from the monitor session browser

Per document: "Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. If you want to apply QoS treatment to traffic based on source, you must specify the pre-NAT source address (such as pre-NAT source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination zone) in a QoS policy rule. Do not configure the QoS policy with the post-NAT source address if you want to apply QoS treatment for the source traffic." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos

Answer is C: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos

I argue D. QOS is after NAT. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

In the Flow Logic, the Network part is performed before the Security part. QoS belongs to Network and NAT belongs to security (as counter-intuitive as that sounds)

C is correct

Both link have different explanation https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-policy https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos

Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. If you want to apply QoS treatment to traffic based on source, make sure to specify the post-NAT source address in a QoS policy rule (do not use the pre-NAT source address).