In a Palo Alto Networks Cloud NGFW for AWS, security policies (rules) within a Rulestack are not evaluated based on their creation sequence or a simple top-down list. Instead, the administrator assigns a numerical priority to each rule. The Cloud NGFW evaluates rules in ascending order of this priority number, with the lowest number being evaluated first. This priority system provides explicit control over the evaluation logic, allowing for precise and flexible policy enforcement regardless of the order in which rules were created.

A. The administrator sets a rule order to determine the order in which they are evaluated.

This is imprecise. The specific mechanism is not a generic "order" but a numerical "priority," making option C more accurate.

B. They can be dragged up or down the stack as they are evaluated.

This describes a potential user interface action, not the underlying evaluation logic. The evaluation is based on the assigned priority number, not the visual position in a list.

D. They must be created in the order they are intended to be evaluated.

This is incorrect. The evaluation is decoupled from the creation sequence and is determined exclusively by the assigned priority number.

1. Palo Alto Networks

Cloud NGFW for AWS Administrator's Guide. In the section on managing security rules

the documentation explicitly states the use of a priority system. It details that each rule must be assigned a priority value

which dictates its place in the evaluation sequence.

Reference: Cloud NGFW for AWS Administrator's Guide > Security Rules > Add a Security Rule. The guide specifies: "When you create a rule

you must assign it a priority. The priority determines the order of evaluation within the rulestack. Rules with a lower priority number are evaluated before rules with a higher priority number." This directly supports the concept of using priority for evaluation order.