topic Re: Bi-directional NAT in Expedition Discussions

Bi-directional NAT

dega — Fri, 21 Sep 2018 23:05:10 GMT

I have three feature requests that are all related, that I think everyone will appreciate.

1) When converting ASA configs, true like for like bi-directional 1-to-1 NATs should be created, not the horrible implicit rule that Palo Alto Creates i.e. the reverse traffic zone becomes the same in both the source and dest zone fields from the original destination, with the exact original destination that is now the source.

2) Create a right-click option or button that does what I described in #1

3) allow me to multi-edit and turn off the bi-directional option if the selected rules are all source NATs

Re: Bi-directional NAT

alestevez — Sat, 22 Sep 2018 07:22:18 GMT

Hi,

version 1.0.107 will come with thr Nat Rule Action to massively enable or disable bidirectional check. MT-710 (release Oct 1st 2018)

version Expedition 1.1 will come with a function to split a static-ip nat in two, one dynamic-ip-port and another DNAT. MT-711 (TBD)

Re: Bi-directional NAT

Tom_Brancato — Sat, 22 Sep 2018 11:29:21 GMT

This is fantastic news, I owe you and your team a round

Re: Bi-directional NAT

dega — Tue, 25 Sep 2018 14:58:19 GMT

Albert, is there a release notes section somewhere?

Re: Bi-directional NAT

alestevez — Tue, 25 Sep 2018 15:25:50 GMT

It was !!! Im checking with IT to see what happened. Thanks

Re: Bi-directional NAT

alestevez — Tue, 25 Sep 2018 15:33:15 GMT

Release Notes, It should show under Expedition Articles but https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Release-Notes-for-Hotfixes/ta-p/216299

Re: Bi-directional NAT

dega — Tue, 25 Sep 2018 15:38:37 GMT

Apparently there is still a problem with this.

Re: Bi-directional NAT

alestevez — Tue, 25 Sep 2018 15:48:56 GMT

https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Hotfix-Release-Notes/ta-p/232307 I cloned again

Re: Bi-directional NAT

dega — Tue, 25 Sep 2018 15:53:04 GMT

Bingo, thank you sir!

Re: Bi-directional NAT

Jonas_Engblom — Tue, 05 Nov 2019 14:44:22 GMT

Will the split bi-directional nat function be available soon?

Re: Bi-directional NAT

swaschkut — Tue, 13 Jun 2023 08:03:04 GMT

If there is still a general need to migrate PANOS bi-dir-nat policy into two separate NAT policy, one for SRC one for DST,
you can use PAN-OS-PHP:
https://github.com/PaloAltoNetworks/pan-os-php

This Framework is available also as Docker Container:

docker run  --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest

the syntax to change bi-dir-nat into two NAT policy, where the migration is exactly the PAN-OS behaviour, to create the second hidden NAT rule as a configured one; please be aware, as the generated NAT rule, is exactly how PAN-OS FW behave, please adjust this NAT rule and configure specific SRC IP addresses in another config change step.

offline config manipulation:

pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=input.xml out=output.xml location={{DeviceGroup/virtual-system}}

or usine PAN-OS XML API:

pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=api://{{MGMT-IP}} location={{DeviceGroup/virtual-system}}

This functionality to handle bi-dir-nat policy and split them , is available since March 22nd 2016, and was introduced by myself in the former tool called pan-configurator:
https://github.com/swaschkut/pan-configurator/commit/22472b0d5f84604474e882e111130eb71372e8c9