A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.
Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule?
To apply Quality of Service (QoS) treatment based on the source of the traffic, it is necessary to specify pre-NAT information. This is because QoS policies are applied to traffic after it exits the firewall, at which point NAT has already been enforced. As such, configuring the QoS policy with pre-NAT source IP address and pre-NAT source zone ensures that the QoS rules are correctly applied based on the original traffic source before any NAT modifications. Therefore, the correct combination for the QoS rule should be Pre-NAT source IP address and Pre-NAT source zone.
If you want to apply QoS treatment to traffic based on source, you must specify the pre-NAT source address (such as pre-NAT source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination zone) in a QoS policy rule. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/configure-qos
This question was on exam in June 24.
B + C are wrong because mentions "Post-NAT source IP address" B + D are wrong because they mention "Post-NAT source zone" So, A! "Do not configure the QoS policy with the post-NAT source address if you want to apply QoS treatment for the source traffic." "Because QoS is enforced on traffic as it egresses the firewall, your QoS policy rule is applied to traffic after the firewall has enforced all other security policy rules, including Network Address Translation (NAT) rules. If you want to apply QoS treatment to traffic based on source, you must specify the pre-NAT source address (such as pre-NAT source IP, pre-NAT source zone, pre-NAT destination IP, and post-NAT destination zone) in a QoS policy rule." https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/configure-qos https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/quality-of-service/configure-qos
all policies except NAT policies use the post-nat destination zone to evaluate. This is because the NAT policy is the first one to be evaluated, and should there be destination nat, the destination zone should be used.