https://live.paloaltonetworks.com/t5/general-topics/securing-inbound-traffic/m-p/28305#M20682 <HTML><HEAD></HEAD><BODY><P>Sounds sensible - thanks Hulk.</P></BODY></HTML> Sat, 24 May 2014 00:35:46 GMT svanrooyen 2014-05-24T00:35:46Z https://live.paloaltonetworks.com/t5/general-topics/securing-inbound-traffic/m-p/28303#M20680 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Hopefully a fairly straight forward beginner question.&nbsp; If I'm wanting to securely set up a basic inbound rule to direct traffic to a web service in our DMZ (from a single external source address), is it best to specify the source address in the NAT or Security policy - or both?&nbsp; I'm trying to figure out the pro's and con's for both scenarios.</P><P></P><P></P><P>Thanks,</P><P>Steve</P></BODY></HTML> Fri, 23 May 2014 22:40:02 GMT https://live.paloaltonetworks.com/t5/general-topics/securing-inbound-traffic/m-p/28303#M20680 svanrooyen 2014-05-23T22:40:02Z https://live.paloaltonetworks.com/t5/general-topics/securing-inbound-traffic/m-p/28304#M20681 <HTML><HEAD></HEAD><BODY><P>Hello Steve,</P><P></P><P>As per the packet flow in PAN firewall, It will evaluate the NAT policy first and then, according to the translated address <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>NAT'd), it will search for an appropriate security policy. </P><P></P><P>I would suggest you to specify the source address in your NAT configuration, just to secure your webserver. Even if, you will not specify the source address on your NAT policy, the traffic will still be validated by security-policy lookup.&nbsp; So, you must specify the source address into your security policy. Otherwise, anyone can initiate a traffic to the public IP (server's public IP address hosted in PAN firewall) and utilize it's CPU cycles.</P><P></P><P><IMG alt="PacketProcessing-PAN.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/13663_PacketProcessing-PAN.PNG" style="height: 419px; width: 620px;" /></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 23 May 2014 23:03:29 GMT https://live.paloaltonetworks.com/t5/general-topics/securing-inbound-traffic/m-p/28304#M20681 HULK 2014-05-23T23:03:29Z https://live.paloaltonetworks.com/t5/general-topics/securing-inbound-traffic/m-p/28305#M20682 <HTML><HEAD></HEAD><BODY><P>Sounds sensible - thanks Hulk.</P></BODY></HTML> Sat, 24 May 2014 00:35:46 GMT https://live.paloaltonetworks.com/t5/general-topics/securing-inbound-traffic/m-p/28305#M20682 svanrooyen 2014-05-24T00:35:46Z