NAT Policy Zone Selection for DNAT (and DNAT+SNAT) — Is My Understanding Correct?

Leekw24 — Tue, 03 Mar 2026 07:47:03 GMT

[Question] NAT Policy Zone Selection for DNAT (and DNAT+SNAT) — Is My Understanding Correct?

Topology

Client (1.1.1.1)  —  Untrust Zone
         |
       NGFW
         |— DMZ Zone — 3.3.3.3/32 (Public IP)
         |
       Trust Zone
         |
Server (2.2.2.2)

Background

I am configuring Destination NAT on a Palo Alto NGFW where:

Client (1.1.1.1) comes in from the Untrust Zone
The public IP 3.3.3.3 is associated with the DMZ interface
The actual server (2.2.2.2) sits in the Trust Zone
The goal is to DNAT 3.3.3.3 → 2.2.2.2

My Understanding of Zone Selection in NAT Policy

Based on my testing and research, I believe PAN-OS determines the Destination Zone in a NAT Policy based on the routing table's best route for the destination IP — NOT the physical ingress interface.

Example 1: Best Route for 3.3.3.3 → Untrust interface

NAT Policy:      Source Zone = Untrust / Destination Zone = Untrust
Security Policy: Source Zone = Untrust / Destination Zone = Trust

Example 2: Best Route for 3.3.3.3 → DMZ interface

NAT Policy:      Source Zone = Untrust / Destination Zone = DMZ
Security Policy: Source Zone = Untrust / Destination Zone = Trust

Example 3: Best Route for 3.3.3.3 → Trust interface

(Even though the packet physically arrives on the Untrust interface)

NAT Policy:      Source Zone = Untrust / Destination Zone = Trust
Security Policy: Source Zone = Untrust / Destination Zone = Trust

Question 1 — DNAT Zone Logic (NAT Policy)

Is my understanding correct that the Destination Zone in a NAT Policy is always determined by the best route of the pre-NAT destination IP, regardless of which interface the packet actually arrives on?

Question 2 — Security Policy Zone Logic

For the Security Policy, I believe:

Source Zone = actual ingress Zone (same as NAT Policy)
Destination Zone = Post-NAT Zone (the Zone where the translated server 2.2.2.2 actually resides)

So regardless of what the best route for 3.3.3.3 is (Untrust / DMZ / Trust), the Security Policy Destination Zone is always Trust — because that is where the DNAT target 2.2.2.2 lives.

Security Policy:
  Source Zone      : Untrust
  Destination Zone : Trust        ← Post-NAT Zone (where 2.2.2.2 resides)
  Destination Addr : 2.2.2.2      ← Post-NAT destination IP
  Action           : Allow

In other words, the Security Policy Destination Zone is independent of the best route — it only follows the Post-NAT destination, correct?

Question 3 — DNAT + SNAT Combined in a Single NAT Policy

When applying both DNAT and SNAT in a single NAT Policy rule, I believe the Zone selection follows the same DNAT-based logic (i.e., best route of the destination IP), and SNAT has no effect on Zone matching.

NAT Policy:
  Source Zone      : Untrust
  Destination Zone : DMZ          ← Based on best route of 3.3.3.3 (DNAT logic)
  Destination Addr : 3.3.3.3

  Source Translation      : [SNAT settings]
  Destination Translation : 2.2.2.2

Security Policy:
  Source Zone      : Untrust
  Destination Zone : Trust        ← Post-NAT Zone (where 2.2.2.2 resides)
  Destination Addr : 2.2.2.2
  Action           : Allow

Does adding SNAT to the same rule have any impact on how the Destination Zone is evaluated in the NAT Policy?

Summary Table

Policy	Source Zone	Destination Zone	Basis
NAT Policy	Actual ingress Zone	Pre-NAT	Best route of destination IP
Security Policy	Actual ingress Zone	Post-NAT	Zone where translated destination resides

NAT Policy Destination Zone by Best Route

Best Route of 3.3.3.3	NAT Policy Dst Zone	Security Policy Dst Zone
Untrust	Untrust	Trust (unchanged)
DMZ	DMZ	Trust (unchanged)
Trust	Trust	Trust (unchanged)

Any confirmation or correction would be greatly appreciated. Thank you!

Re: NAT Policy Zone Selection for DNAT (and DNAT+SNAT) — Is My Understanding Correct?

abayoumi21 — Tue, 03 Mar 2026 08:42:37 GMT

Question 1: You are right

For destination NAT traffic:

Packet arrives on ingress interface → Source Zone determined
Firewall performs route lookup on pre-NAT destination IP
That route lookup determines:
- Egress interface
- Egress Zone
NAT rule is matched using:
- Source Zone (ingress)
- Destination Zone (from routing lookup of pre-NAT IP)
DNAT translation applied
Security policy evaluated using:
- Source Zone = ingress zone
- Destination Zone = post-NAT zone

https://docs.paloaltonetworks.com/ngfw/networking/nat/destination-nat-exampleone-to-one-mapping

Question 2: You are totally correct, In D-NAT, Paloalto firewall determine the distination zone in security policy based on Post-NAT destination IP address.

Security policy evaluation for DNAT uses:

Source Zone = ingress zone
Destination Zone = zone of the POST-NAT destination

Question 3: SNAT has no impact on the selection of destination zone under NAT policy or Security policy.

topic Re: NAT Policy Zone Selection for DNAT (and DNAT+SNAT) — Is My Understanding Correct? in Next-Generation Firewall Discussions