A and B is correct. NAT policy rule matches the packet based on the original pre-NAT src and dst address and pre-NAT destination zone.It's security policy that match the packet based on pre-NAT src and dst address and post-Nat zone

The question is "used as match not to configure", <NAT packets used in the receive stage will have pre-NAT IP addresses, whereas packets at the transmit stage will have post-NAT IP addresses for matching>

I was wrong, Pre-nat address and post-nat zone is valid for DNAT for common NAT policy the correct answer is Pre-nat zone and Pre-nat address

Pre-nat address post-nat zone

When a packet arrives at the firewall (ingress), the firewall inspects the packet and does a route lookup to determine the destination (egress) interface and zone. Then the firewall determines if the packet matches one of the NAT rules defined based on the source and destination zone and applies the NAT rule. The firewall then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses but the post-NAT zones. Security policies examine post-NAT zones to determine whether the packet is allowed. Because the very nature of NAT is to modify the source or destination IP addresses, which can change the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. pcnsa official trainning material p.213

B and D seems to be correct. You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum. In addition to zones, you can configure matching criteria based on the packet’s destination interface, source and destination address, and service. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview

Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview

In NAT policies you have to think of everything Pre NAT.

Policy: Pre-nat Address (A) e Post-nat Zone (D)

For NAT-Policies we use Pre-NAT zones and Pre-NAT addresses

A & B correct. NAT Policy : Pre-NAT Zone and Pre NAT Address

Correct answer is clear at first sentence actually. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview)

According to Palo Alto documentation, "You configure a NAT rule to match a packet’s source zone and destination zone, at a minimum." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-policy-rules/nat-policy-overview

Based on DatITGuyTho1337's Comment and how the question is looking for a combination of Address AND Zone, the answer would have to be pre-NAT address and Post-NAT Zone. As post-NAT address is never used as a matching criteria.

A,D are the correct answers

I chose "B D" but I think "A D" is correct because of this excerpt: "Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones. Finally, upon egress, for a matching NAT rule, the firewall translates the source and/or destination address and port numbers. Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address." I also just noticed that the question asked for a combination of address and zones so the answer cannot be "BD".

It is A and B since it is asking for NAT IF!! it was asking for security policy rule it would be pre NAT address post NAT zone