Explanation/Reference:
To be able to override these security policies by local administrator, the local policies must be applied after them.
Pre Rules: Pre rules are inserted at the top of the rule order and are checked first in the configuration in the pre-rulebase, before the post or locally defined rules. Examples on the use of pre rules are to insert global use rules such as blocking peer-to-peer traffic for all users, or allowing DNS traffic for all users.
Note: Rules in Panorama can be added as 'Pre' or 'Post' rules within each device group. Administrators can decide to manage rules as Pre, Post or use a combination of both, including the insertion of locally added rules, which are placed in order between the Pre and Post rules managed from Panorama.
Incorrect Answers:
B: Post Rules: Post rules are inserted at the bottom of the rule order and are checked in their configuration order in the post-rulebase, after the pre and locally defined rules. Examples of post rule use are global deny rules, either by appID/service/user/IP based or a combination of, or to create default zone to zone deny rules to use for logging of all blocked traffic.
C, D: Rules in Panorama can be added as 'Pre' or 'Post' rules, not Explicit or implicit rules, within each device group.
References: Panorama Design and Planning Guide Tech Note PAN-OS 4.1, page 6
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/134/1/ Panorama-Design-Planning.pdf