====== Policy Format ======
===== Security Policy =====
  * Destination Zone = Post Translation Zone
  * Destination IP = Pre Translation IP

===== Destination NAT Policy =====
  * Destination Zone = Pre Translation Zone
  * Destination IP = Pre Translation IP

===== PBF Policy =====
  * Destination Zone = No Destination Zone
  * Destination IP = Post Translation Address

===== Decryption Policy =====
  * Destination Zone = Post Translation Zone
  * Destination IP = Pre Translation IP
 
===== DoS Policy =====
  * Destination Zone = Post Translation Zone
  * Destination IP = Pre Translation IP

===== Port Translation =====
When you have a destination NAT that translates the destination port (e.g. TCP-2222 to TCP-22), the security policy rules should use the pre translation port (e.g. TCP-2222). The Logs will show the traffic going to the pre translated port (e.g. SSH to TCP-2222).

===== Clientless VPN =====
  * Source Zone = SZ_ClientlessVPN
  * Destination Zone = Actual Destination Zone
  * Source IP = Actual source endpoint IP (public IP if they are on the Internet or connecting from behind a remote NAT).
  * Destination IP = Actual Destination IP
  * Destination Port = Actual Destination Port (not GlobalProtect 443)
  * Application = Actual Application. (e.g. Web Browsing not SSL if forwarding to port 80).