topic Re: Issue Nat Outbond Palo Alto in Next-Generation Firewall Discussions

Issue Nat Outbond Palo Alto

f.niam — Thu, 04 Jul 2024 11:54:44 GMT

i got an issue, while sometimes my fortimail is unable connect to internet, and for my fortimail to able connect to internet again i disable and enable my nat policy, is there any bug related to that because i got this every day

here is my nat policy

Re: Issue Nat Outbond Palo Alto

SutareMayur — Fri, 05 Jul 2024 15:17:34 GMT

Hi @f.niam Why you have both directions NAT configured? Do you want it to be available from Internet also?

During issue time, did you check the traffic logs to understand what's happening? Is it matching NAT statement when issue is present ?

Re: Issue Nat Outbond Palo Alto

OtakarKlier — Fri, 05 Jul 2024 18:57:53 GMT

Hello,

Disable the policy NAT 85 in your picture as it is not required. Also I hope this external IP is used only for the Fortimail, if yes, set the Bi-Directional to yes.

Regards,

Re: Issue Nat Outbond Palo Alto

f.niam — Fri, 05 Jul 2024 20:25:23 GMT

yes, i need fortimail to get internet, because during issue my fortimail can't send email to outbond and while i trace from fortimail packet stop at palo alto, and while i disable and re-enable nat policy no.86 my fortimail is back to normal and can send email to outbond, while in my palo alto traffci log it show application incomplete

Re: Issue Nat Outbond Palo Alto

f.niam — Fri, 05 Jul 2024 20:27:10 GMT

unfortunately, my external ip public is used by two ip address, and here is my detail issue, my fortimail can't send email to outbond and while i trace from fortimail packet stop at palo alto, and while i disable and re-enable nat policy no.86 my fortimail is back to normal and can send email to outbond

Re: Issue Nat Outbond Palo Alto

jkvalk59s — Sat, 06 Jul 2024 13:41:52 GMT

Your policy names are confusingly reversed (regarding what is in/out) but that's not relevant here. I don't see anything specifically wrong here and as you're saying - it is an intermittent/runtime issue, it works and then it does not work - meaning as if the configuration is fine, just that something happens in the data plane.

This tells me that some in-depth debugging of the sessions and packets is required, you can take packet captures, trace down and investigate sessions, etc., but it may also be basis for a support case. If you get lucky, they may find something in the tech support file or it may be a known issue.

I understand you can't initiate this situation to reproduce it, but once it happens, you can keep if for some time so that it can be investigated. E-mail servers usually try to re-send an e-mail for 4 to 8 hours so if you keep it broken for a few hours, there should only be a delay but no actual data loss for the users.