https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-precedence-of-routing-nat-policy/ta-p/526558 <DIV class="lia-message-template-content-zone"> <P><SPAN>This article is based on a discussion, "</SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/precedence-of-routing-nat-policy/m-p/525630" target="_self">Precedence of Routing\NAT\Policy</A><SPAN>".&nbsp;Read on to see Cyber Elite&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>'s response!</SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Dear All,</P> <P>&nbsp;</P> <P>I want to know what is correct precedence among Routing\NAT\Security Policy</P> <P>&nbsp;</P> <P>So If a packet hits on the outside zone of the Firewall then whether below process is correct?</P> <P>1. Whether FW has route for the destination\5.5.5.5 ( If YES)</P> <P>2. Whether there is any NAT policy&nbsp; (If YES) ( Assume -&gt; After NAT, 5.5.5.5 translated to 6.6.6.6)</P> <P>3. Then security policy should allow original destination IP(5.5.5.5)&nbsp; or Translated&nbsp; destination IP (6.6.6.6)</P> </BLOCKQUOTE> <H2 id="toc-hId--819683489"><FONT color="#FF6600"><STRONG>Solution:</STRONG></FONT></H2> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/225514">@ManinderNegi</a>,</P> <P>&nbsp;</P> <P>Great question! A good general rule is "Pre-NAT IP, post-NAT everything else." For example, in this document -&gt; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples" target="_blank" rel="noopener">NAT Configuration Examples</A> the IP in the security policy is pre-NAT, while the destination zone is post-NAT.&nbsp; Scroll down to the bottom to see the NAT and security policy rules.</P> <P>&nbsp;</P> <P>With regard to precedence, a good diagram is this one taken from the PCNSE study guide on Beacon.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_0-1672709765443.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46589i3340C2F00A090B07/image-size/large?v=v2&amp;px=999" role="button" title="TomYoung_0-1672709765443.png" alt="TomYoung_0-1672709765443.png" /></span></P> <P>&nbsp;</P> <P>Of the order you mentioned, the route lookup is done 1st (Forwarding Lookup).&nbsp; Then the NAT policy lookup is 2nd (DNAT check).&nbsp; However, NAT is not applied to the packets until the egress interface (Forward Traffic).&nbsp; The forwarding/NAT lookup is necessary to determine the destination zone.&nbsp; Then the security policy is checked last.&nbsp; That is why the IP address in the security policy is pre-NAT.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> </BLOCKQUOTE> </DIV> Tue, 10 Jan 2023 18:02:08 GMT JayGolf 2023-01-10T18:02:08Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-precedence-of-routing-nat-policy/ta-p/526558 <DIV class="lia-message-template-content-zone"> <P><SPAN>This article is based on a discussion, "</SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/precedence-of-routing-nat-policy/m-p/525630" target="_self">Precedence of Routing\NAT\Policy</A><SPAN>".&nbsp;Read on to see Cyber Elite&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>'s response!</SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Dear All,</P> <P>&nbsp;</P> <P>I want to know what is correct precedence among Routing\NAT\Security Policy</P> <P>&nbsp;</P> <P>So If a packet hits on the outside zone of the Firewall then whether below process is correct?</P> <P>1. Whether FW has route for the destination\5.5.5.5 ( If YES)</P> <P>2. Whether there is any NAT policy&nbsp; (If YES) ( Assume -&gt; After NAT, 5.5.5.5 translated to 6.6.6.6)</P> <P>3. Then security policy should allow original destination IP(5.5.5.5)&nbsp; or Translated&nbsp; destination IP (6.6.6.6)</P> </BLOCKQUOTE> <H2 id="toc-hId--819683489"><FONT color="#FF6600"><STRONG>Solution:</STRONG></FONT></H2> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/225514">@ManinderNegi</a>,</P> <P>&nbsp;</P> <P>Great question! A good general rule is "Pre-NAT IP, post-NAT everything else." For example, in this document -&gt; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples" target="_blank" rel="noopener">NAT Configuration Examples</A> the IP in the security policy is pre-NAT, while the destination zone is post-NAT.&nbsp; Scroll down to the bottom to see the NAT and security policy rules.</P> <P>&nbsp;</P> <P>With regard to precedence, a good diagram is this one taken from the PCNSE study guide on Beacon.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_0-1672709765443.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46589i3340C2F00A090B07/image-size/large?v=v2&amp;px=999" role="button" title="TomYoung_0-1672709765443.png" alt="TomYoung_0-1672709765443.png" /></span></P> <P>&nbsp;</P> <P>Of the order you mentioned, the route lookup is done 1st (Forwarding Lookup).&nbsp; Then the NAT policy lookup is 2nd (DNAT check).&nbsp; However, NAT is not applied to the packets until the egress interface (Forward Traffic).&nbsp; The forwarding/NAT lookup is necessary to determine the destination zone.&nbsp; Then the security policy is checked last.&nbsp; That is why the IP address in the security policy is pre-NAT.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> </BLOCKQUOTE> </DIV> Tue, 10 Jan 2023 18:02:08 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-precedence-of-routing-nat-policy/ta-p/526558 JayGolf 2023-01-10T18:02:08Z