topic Re: NAT LOGGING in General Topics

NAT LOGGING

calabilla — Sat, 19 Oct 2024 17:30:53 GMT

Hello,

I am a newbie so please bear with me, I Have a very simple LAB with a Palo Alto firewall with 11.00 Ver and an internet connection.I know that to provide internet connection to the user i would need a Policy,default route and a source NAT.

Lets suppose I dont have a Source NAT for the internet connection, how would I know that I am missing a source NAT.

is there a command which shows that the packet is dropping due to source NAT not available?

Thanks

calabilla

Re: NAT LOGGING

SutareMayur — Sun, 20 Oct 2024 04:27:34 GMT

Hi @calabilla

First of all, we all know to go over the internet, source private needs to be NAT with public IP to route traffic over the internet. This is our basic understanding for the network/firewall topology and how traffic flows over the internet.

Now if you miss NAT configuration, there is no direct indication to understand this but there are some in-direct ways to know it. Traffic logs will not show this traffic as dropped/denied as Security policy will allow it. Now as NAT policy is missing, firewall will just send traffic based on the matched route and forward packet to the next hop. For internet destination, it will match default route pointing to internet/ISP hop.

As we do not have NAT, with source private IP traffic will be routed to next hop. As private IP is not routable over the internet, there will be no response to that request and connection will be reset.

Now from Palo Alto, you can see some indications under traffic logs like,

1. Look for session end reason under traffic logs, it will show Resets/or aged out. In normal cases, you will see TCP-FIN when session is completed.
2. If you open that specific traffic logs, you will se bytes sent but there will not be any bytes received as there will be no response to that request. In normal cases, when session is successful, there will be responses and bytes received counter will get updated with number of bytes received.
3. If you enable packet capture, you will not see any received response in that as well.

So this way, you can understand what is happening with that ongoing session and check these pointers.

Hope it helps!

Re: NAT LOGGING

calabilla — Mon, 21 Oct 2024 08:39:26 GMT

Thanks for the great information. i did went in the monitor section and provided source and destination address but there is no traffic is generated.

May be I am wrong here , can you please give me the exact steps .

Re: NAT LOGGING

SutareMayur — Mon, 21 Oct 2024 09:43:58 GMT

Hi @calabilla Make sure that your security policy which is allowing the traffic is enabled to Log at Session End at least.

For testing, you can also enable both options as shown in attached snap. So as soon as there is a request and it matches that security policy, firewall will log it and you should be able to see it under traffic logs.

Hope it helps!