[Question] NAT Policy Zone Selection for DNAT (and DNAT+SNAT) — Is My Understanding Correct?

Topology

Client (1.1.1.1)  —  Untrust Zone
         |
       NGFW
         |— DMZ Zone — 3.3.3.3/32 (Public IP)
         |
       Trust Zone
         |
Server (2.2.2.2)

Background

I am configuring Destination NAT on a Palo Alto NGFW where:

• Client (1.1.1.1) comes in from the Untrust Zone
• The public IP 3.3.3.3 is associated with the DMZ interface
• The actual server (2.2.2.2) sits in the Trust Zone
• The goal is to DNAT 3.3.3.3 → 2.2.2.2

My Understanding of Zone Selection in NAT Policy

Based on my testing and research, I believe PAN-OS determines the Destination Zone in a NAT Policy based on the routing table's best route for the destination IP — NOT the physical ingress interface.

Example 1: Best Route for 3.3.3.3 → Untrust interface

NAT Policy:      Source Zone = Untrust / Destination Zone = Untrust
Security Policy: Source Zone = Untrust / Destination Zone = Trust

Example 2: Best Route for 3.3.3.3 → DMZ interface

NAT Policy:      Source Zone = Untrust / Destination Zone = DMZ
Security Policy: Source Zone = Untrust / Destination Zone = Trust

Example 3: Best Route for 3.3.3.3 → Trust interface

(Even though the packet physically arrives on the Untrust interface)

NAT Policy:      Source Zone = Untrust / Destination Zone = Trust
Security Policy: Source Zone = Untrust / Destination Zone = Trust

Question 1 — DNAT Zone Logic (NAT Policy)

Is my understanding correct that the Destination Zone in a NAT Policy is always determined by the best route of the pre-NAT destination IP, regardless of which interface the packet actually arrives on?

Question 2 — Security Policy Zone Logic

For the Security Policy, I believe:

• Source Zone = actual ingress Zone (same as NAT Policy)
• Destination Zone = Post-NAT Zone (the Zone where the translated server 2.2.2.2 actually resides)

So regardless of what the best route for 3.3.3.3 is (Untrust / DMZ / Trust), the Security Policy Destination Zone is always Trust — because that is where the DNAT target 2.2.2.2 lives.

Security Policy:
  Source Zone      : Untrust
  Destination Zone : Trust        ← Post-NAT Zone (where 2.2.2.2 resides)
  Destination Addr : 2.2.2.2      ← Post-NAT destination IP
  Action           : Allow

In other words, the Security Policy Destination Zone is independent of the best route — it only follows the Post-NAT destination, correct?

Question 3 — DNAT + SNAT Combined in a Single NAT Policy

When applying both DNAT and SNAT in a single NAT Policy rule, I believe the Zone selection follows the same DNAT-based logic (i.e., best route of the destination IP), and SNAT has no effect on Zone matching.

NAT Policy:
  Source Zone      : Untrust
  Destination Zone : DMZ          ← Based on best route of 3.3.3.3 (DNAT logic)
  Destination Addr : 3.3.3.3

  Source Translation      : [SNAT settings]
  Destination Translation : 2.2.2.2

Security Policy:
  Source Zone      : Untrust
  Destination Zone : Trust        ← Post-NAT Zone (where 2.2.2.2 resides)
  Destination Addr : 2.2.2.2
  Action           : Allow

Does adding SNAT to the same rule have any impact on how the Destination Zone is evaluated in the NAT Policy?

Summary Table

NAT Policy Destination Zone by Best Route

Any confirmation or correction would be greatly appreciated. Thank you!