topic Re: Policy processing order in General Topics https://live.paloaltonetworks.com/t5/general-topics/policy-processing-order/m-p/1234860#M124853 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/332448">@jwill2</a>&nbsp;</P> <P>&nbsp;</P> <P>You can look into a packet flow diagram to find your answer:</P> <P><A href="https://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309" target="_blank" rel="noopener">Detailed Packet Flow Diagram</A>&nbsp;</P> Tue, 29 Jul 2025 07:16:04 GMT CosminM 2025-07-29T07:16:04Z Policy processing order https://live.paloaltonetworks.com/t5/general-topics/policy-processing-order/m-p/1234802#M124851 <P>I have a question about how policies are processed; specifically NAT vs Security Policy.</P> <P>&nbsp;</P> <P>We have a NAT policy that performs destination NAT to translate all traffic to port 53 to be translated to our corporate DNS servers.</P> <P>&nbsp;</P> <P>We have a security policy for DNS that permits outbound access to only our corporate DNS servers.&nbsp; All other DNS destinations are blocked.</P> <P>&nbsp;</P> <P>When looking at the security logs, I see entries showing DNS destinations to other DNS servers (like Google's DNS) getting blocked (which is expected).&nbsp;</P> <P>&nbsp;</P> <P>I have tested using nslookup on an internal host name using the Google DNS as the server and the response times out and I see it blocked at the firewall.</P> <P>&nbsp;</P> <P>When does the NAT translation take place?</P> <P>&nbsp;</P> <P>What should my Security policy look like?</P> Mon, 28 Jul 2025 18:45:50 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-processing-order/m-p/1234802#M124851 jwill2 2025-07-28T18:45:50Z Re: Policy processing order https://live.paloaltonetworks.com/t5/general-topics/policy-processing-order/m-p/1234860#M124853 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/332448">@jwill2</a>&nbsp;</P> <P>&nbsp;</P> <P>You can look into a packet flow diagram to find your answer:</P> <P><A href="https://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309" target="_blank" rel="noopener">Detailed Packet Flow Diagram</A>&nbsp;</P> Tue, 29 Jul 2025 07:16:04 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-processing-order/m-p/1234860#M124853 CosminM 2025-07-29T07:16:04Z