PCNSE Question #28: Real Exam Question with Answer & Explanation

The correct answer is C: Pre-NAT addresse and Post-Nat zones. Palo Alto Networks firewalls evaluate Security Policy before applying NAT translation, but zone determination for the destination is made post-routing (i.e., after NAT). Therefore: Addresses must be Pre-NAT (the original, untranslated source and destination IPs as they appear in

Submitted by diego_uy· Apr 18, 2026Core Concepts

Question

What must be used in Security Policy Rule that contain addresses where NAT policy applies?

Options

APre-NAT addresse and Pre-NAT zones
BPost-NAT addresse and Post-Nat zones
CPre-NAT addresse and Post-Nat zones
DPost-Nat addresses and Pre-NAT zones

Explanation

Palo Alto Networks firewalls evaluate Security Policy before applying NAT translation, but zone determination for the destination is made post-routing (i.e., after NAT). Therefore: Addresses must be Pre-NAT (the original, untranslated source and destination IPs as they appear in the packet before any NAT rule is applied), and Zones must use the Post-NAT destination zone (the zone the traffic will actually reach after the NAT translation redirects it). This combination - Pre-NAT addresses with Post-NAT zones - is the correct and required approach when writing security rules that overlap with NAT policies.

Topics

#NAT Policy#Security Policy#Traffic Flow#Pre-NAT / Post-NAT

Community Discussion

No community discussion yet for this question.

Full PCNSE Practice Browse All PCNSE Questions