https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593652#M118159 <P>Hello,</P> <P>I Saw this on a website</P> <P>&nbsp;</P> <P><SPAN>"Security policies differ from NAT rules in that security policies examine post-NAT zones to determine whether the packet is authorized or not."</SPAN></P> <P>&nbsp;</P> <P>I don't understand why because&nbsp; it's the packet without NAT ( no NAT) that reaches the firewall and&nbsp; the firewall compare it to the security policy to determine whether the packet IS authorized.</P> <P>&nbsp;</P> <P>So normally security policy should examine pré-nat zones and not post-NAT zones isn't it?</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> Wed, 31 Jul 2024 15:19:57 GMT Sarou22 2024-07-31T15:19:57Z https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593652#M118159 <P>Hello,</P> <P>I Saw this on a website</P> <P>&nbsp;</P> <P><SPAN>"Security policies differ from NAT rules in that security policies examine post-NAT zones to determine whether the packet is authorized or not."</SPAN></P> <P>&nbsp;</P> <P>I don't understand why because&nbsp; it's the packet without NAT ( no NAT) that reaches the firewall and&nbsp; the firewall compare it to the security policy to determine whether the packet IS authorized.</P> <P>&nbsp;</P> <P>So normally security policy should examine pré-nat zones and not post-NAT zones isn't it?</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> Wed, 31 Jul 2024 15:19:57 GMT https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593652#M118159 Sarou22 2024-07-31T15:19:57Z https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593662#M118160 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176305">@Sarou22</a> ,</P> <P>&nbsp;</P> <P>You are correct that the incoming packet is destined for a pre-NAT zone.</P> <P>&nbsp;</P> <P>To understand why you put the post-NAT zone in the security policy rule, we need to review the session setup process on the NGFW.&nbsp; I got this diagram from the PCNSE Study Guide.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_0-1722441264461.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61264iEE57AD3224BADE7C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="TomYoung_0-1722441264461.png" alt="TomYoung_0-1722441264461.png" /></span></P> <P>&nbsp;</P> <P>The NGFW looks at NAT rules to determine the destination zone before checking the security policy.&nbsp; It is called a <EM>NAT lookup</EM> because NAT is not actually applied to the traffic yet.&nbsp; The NAT rule changes the IP address in the packet on egress.&nbsp; I like the behavior because the security policy shows the ultimate destination zone for the traffic.&nbsp; The rule of thumb to apply "pre-NAT IP and post-NAT everything else" to security policy rules works well for these scenarios.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> Wed, 31 Jul 2024 16:06:42 GMT https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593662#M118160 TomYoung 2024-07-31T16:06:42Z https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593715#M118172 <P>Hello,</P> <P>&nbsp;</P> <P>Sorry it IS not clear to me.&nbsp;</P> <P>&nbsp;</P> <P>My exemple IS the following:</P> <P>Source zone : outside&nbsp;</P> <P>Destination zone : inside</P> <P>Source adress:8.8.8.8</P> <P>Destination adress: 212.21.20.4</P> <P>Nat rules:&nbsp; 212.21.20.4 translated to 10.118.20.3</P> <P>&nbsp;</P> <P>So when the server 8.8.8.8 ping the user 212.21.20.4 thé firewall will translate 212.21.20.4 to</P> <P>The firewall will examine post nat zone, zone inside?</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 31 Jul 2024 21:52:07 GMT https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593715#M118172 Sarou22 2024-07-31T21:52:07Z https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593716#M118173 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176305">@Sarou22</a> ,</P> <P>&nbsp;</P> <P>If you have an inbound destination NAT rule, here is a great article with example NAT and security policy rules on the bottom.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping</A></P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P>Tom</P> Wed, 31 Jul 2024 22:08:20 GMT https://live.paloaltonetworks.com/t5/general-topics/nat/m-p/593716#M118173 TomYoung 2024-07-31T22:08:20Z