https://live.paloaltonetworks.com/t5/general-topics/question-about-security-policies-and-nat/m-p/51384#M37797 <HTML><HEAD></HEAD><BODY><P>I'm working on developing my rule base prepping for implementation.&nbsp; I'm noticing that alot of my inbound rules, ie:</P><P></P><P><IMG height="31" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABegAAAAfCAIAAAATC7rMAAASW0lEQVR4nO2da3BT14HHMw3dnenMfuBrZ9ulW5Y0gIclFKbeTtOkNKQkeMmmpSlJlqHIj5RxVGrYVDjJDjFxwGlEiB+NH0RRDPFDMUkdY6u2hR3ZWhkbLhg/sPw2lmWMXxjj9+vuB72u7kuyHujo6s/8hpHlq6ur3zn3+J7/OefqEZrxr1Dz5bWm1vnFJRAm9JoHg34MoQJcwRWxQDhskwlc+dGVsa6FpucX5ib6+rovVzWfv3A1LU1/5kz9yZNFQT94okCtCxNQ0JBMFHAFOb7IWVzyiEcQ3IQzOJHgCq4kAITDNpnAlR9dlZYa6utvWCwDHR29DQ2dOl1TRkaVTHY2KSkt6AdPFKh1YQIKGpKJAq4gxxc5CG6Ae3AiwRVcSQAIh20ygSv/usrNLcrKysvOvqhU5h87liqTHc/IqAr6kZMGal2YgIKGZKKAK8jxRQ6CG+AenEhwBVcSAMJhm0zgyu+urFdrQT9akkGtCxNQ0JBMFHAFOb7IQXAD3IMTCa7gSgJAOGyTCVzBFUyCAIGChmSigCvI8UWO98GN0WQBYUI51R70YwgV4AquiAXCYZtM4AquYBIECBQ0JBMFXEGOL3IQ3AD34ESCK7iSABAO22QCV3AFkyBAoKAhmSjgCnJ8kYPgBrgHJxJcwZUEgHDYJhO4giuYBAECBQ3JRAFXkOOLHAQ3wD04keAKriQAhMM2mcAVXMEkCBAoaEgmCriCHF/kILgB7sGJBFdwJQEgHLbJBK7gCiZBgEBBQzJRwBXk+CIHwQ1wD04kuIIrCQDhsE0mcOW1K2We9nTB5bP5lX8t1OUUVJ3T1GQW1aVrGrIu1Hm4w5bcInN8gvRoyS1CrQNGFDQkEwZcQY4vciQV3ITA9UdsbPHe2Hbr/2Rcu3heVzyComQqqsS/JbuqfVo3DsRh+N1V2ANXEC5hYBuuHoIreWXPm51z2YNTX03Olk/OXhqfyhueyhiZS7p828MdmuMT6EcekR7m+ATUOmBEQUMyYcAV5Pgix7/BTZdSVRLl6DCzOs98femSMl1UaokVWVkXezOKkqXqlJR141ZFqkHNfVOKktn2YGiMjQ36tQJpuL128byucIXzF8fDDm74ah2Cm1AAriBcwsA2XD0EVwcr78Z30O/20WmDdOYQ/fFdOnWIfu8O/fbfBzzcIYIbJpuSK92yivIK3qUIcOBJ81LT/SAqq2dvTk/97Rl/vnsQK4D4W+sN1p6XQu+fj0BaG157q6Wq+Xx5Y2Lp9VcuUS9rryt0Nz+rbW0O+oER6IooIMetHL8GNxQlUxkUKnvU4i64KSnTOfvbplaFLbtxBjQlZTqZSmdrVkTaDvuvzAhuVn/t4nld4QoXKQt/VlbxffLWOgQ3oQBcQbiEgW1fXTU27nvhpcy0HGNjo9FkEXrsgtctf+h0sFmudn898usr9GvXl4+2Lh83LSvalt+7oH0n7/Lp3HKxxVPOAZiSvN0Hgn6hEpSLHwQ3YQK3oBsaGhITEx0/GnoeRGX1dIwtZdSMRJxq8+e7r/aK1LGl7zVHbA+tCueguH8Oiai/dzWttdobbxU3RP2tfs9X9Xu+vPL8xbrnvvi/3cUNiupmfdAPjyhXpLHaZjnoB/zw5fgzuCkp08nKutQavrkz3B+5DYd9A7XG9rxaY1DrDba9OR5wQXDjw7WL53WFK9z6QKkpcSb3thjF+gwjTGFO0mFNqrL/VXPZj8urGBNqPKx1zCPkfWuKktnywS6lim/qkJ9cMeaU6ZQUnzFTl1LlGPRYzV/T0AeuIFzCwLbXrowmS2Zazr4XXhKPbGyPmS8Mv+Bma/5EZDn9fNXyb2qXX61bPnBl2aPFUxT1/hvZ1vXaw3v2mNZvHdoReX9H5GjElmb74/s7Ioc2bh3asb2H8VvTY1t6/j3y/o7I+9u2mR7bNmr9376983n+x1t7Htti3mbbku+9+J7kvsWO7T3rHfvZ3rNxO/eZ4f/6rXf3uNmUXEkL/1tYXkFwE3JwC1oulzOzG2tqo2t/EHGqrWt8IeJU2/n6Mf+8+2orgB8rjPgIK++UefH9hEhwU9vaXEq9ebHuuS+MzxXW7i6sfTZf/2xBzTOfVz9zoXpnkeGYvqUpuEfIXsQg1v1x9lyEt5HUpYKHzfLyCj29sBRu2Y3fg5supXXWg94QxXuSu185ZZtrY+2KG01dSg1VYmpV2NIc4Rl99l21ZGebHtsW9KyEBO7viAzgPW5cYxFbuVjLnbG6zT6jqlVh36akTBelaeUPblj7YbxK9K+FQK2zvYTz1ow6ptAYFHqL0V7B/Hte8aA32D47+5Paf8V8EB7AFYRLGNj2xVVMdJw1lxHhz39+a98LLzFe1aVU2Vdeawz2K12DmvsXh5mjqagS5guFxoeIgeXq0cyZf/qC/kEpvbmS3l5FR1bRHi2eoqjivVIe6PJkyEqkh+AYzmU+3pRceW9mgdtPcK1Lrj8iuCEA3oKWy+Wjo6Nyudxosuz+uPu6eTbiVNs3HQ8iTrV1jC1FnGorpEZYL+EL3x3jlNyRS8czzGrQqkh1/pa9Q04LJjT6yO7DM+EOebJ7+M5jiFJRar4RBb47D7hpJMkJbsqvf1pYuyu/Ztfn1c+cr/pl7uWdn1U+rdY9pa7Yqb16VF3xq6+vZBNUIUW7P85OE8829uhNWo2MJ8HN4tLy5Nzi0OTspuTKvrHp8Mlu/B3cuDRMnPPftIrgxkhRMmtN1bTaJ0SITotg5AjSvhbx71WL9ycSbwDPnRFqDfXdPsN9Fe8z4kXPqnVCB2OyzedSawxql2oWSFfMP6L8n8tW88XSSSkCVxAuYWDbe1cmS0x0XErKmcXxxIXR1xeG//vtRFlMdFyjfudc/+Ozt7//tmJ/THTcDd06wRk3zCtd/qEC2xWFWsOZB0o2LFePf2D+iXr8Pz4d2/7JvSc+GduhHuUunjratiJvX0nI72WKkvbFko/BDfPfygo9v7g8Obc4MjXXPz7D7iSw6hL3xxCpVxJGKFOQy+VjY2NHjhxxBDc70zs7xpZOFLRsOHnr2u0pwX06w3f7ZAe9wZYRc59xzT74G3ZHUs++uvakD8/cFXfIk6+Hz1stHR9K6Go8RGbcFBn+9JnuF+rKp1XlT31S/vNz2iezSn+WW/n80HjLwuJ09c2/qCv+ENwj5M64WV03yj7aHeXEn+sGCJJjx5GhM5N0093JcFsz5efghnmbYVsi6yapEVwqZbt41RvsrZVBSYlOi0Bw49VVi/cnEjHBjWCtEw5uSsp0Cr21OnUpVc5qFhBXzL/iop9LrSlR6AVuvy1d4ArCJQxse+nKZDGaLDHRcZlpOQujR+aHD1375uWY6LjEN34/27959vYPGsq3xETHHf+f/TNdj4oFN7x/QRjdIZeL3dDpYPNe1x5Lot5JoQ5GV7/4uxru4qmXr6zsq1+OyzUzRRXv3h/0C5XA4Zh0LDLv2JMZN9a1UQ6aByc4PQRWXXL9MXTqlYQRyRTkcvng4GBiYqI2Za2hc+JEQcuJgpZd6R1/LOT7UjaR8N3ao9ELPMNt83l3aOK0YJ5cPzOuhJ3zdJh74Pbw2bsVHVEIteBGVb4nu+xnOWVPntftzSl9Kr048uNLvxyeaKdpenpu7Fxp1JmLTxFUIb0ObiTasIg0y8srKzPzSyNT833j0y2D96/0jura715quXOxcQDBjRfBjWuQ7Fg1IzrFRuDmxBajyaLW6GQqZ24tU+nEJjAzmhXHsm1z/GHd7v15vN+6HRtbvO+wy/dzxx/W7d6vO5hgjk9of+VA3r7DZuY3drt8h7fcuNe2pYPGfQeK9x4wxiaY4xPMBw8V7z1Q/IqcsXP7bh07Efo68IOH8uyHYeZu4/KM8Kfz3wopVl3hFS7SmjBWJ3FHDJz3nxYYfHbmeq71xLNaJzRYYbIYKUphr04lZQaFxuDf1aFCLbLwJ7U/DoVZ+v4FriBcwsC2l65MFqM9uJkfiZu/+7uUdw/GRMdpi341179+tve7KUkvxkTHaQu2zHStyfYyuLFuz+hjh851MNfVtQbztQZz09W2rLOG12NruYunflxNR1TRL59zWSplu1iKjTWt3xr0nCWgCI1jic+4WVpemVlYujezMDQ52zs2fWtokuofN/SMCvQQBOKb0KlXEkYkU+gcX7CmNjOWR7Upa9e/c2vDyVvHLgqlNiJfgrH64Ia7Q+4Dz4Ibl4P0pIfPfBe3IwqhFtx8fOnZtL/9JOPrJ7sHa6ZmRwuqY/qHr9E0PT03/knZb5PPR5zO+ylBFVJgXMHN/SWYU6ukhVCzvLi0sim5cmhyjnVz4ouNAwhuvApu2OezvcFipryU648mi9F1xgSzCrr01SnGzEAuzt1y/kbyTCO04lyrudob6Ja4bMk4tQSOVm1fiWoLwt1kpaKrFj39dIGqK26Ec9N9nkSfXe4uWlgf0/5thS5jCJ7UOv7CYl5RMeay+tshq9HhrwA8x2+/Wc9DKVBCgCsIlzCw7bUroyO4GX61/eqvY6LjDv8h5l7n5tm+75kM/xYTHXf4teix1u/MdK3hmXHDP6TMHipQ2KIxu23GNoTDdlXXQtPzC3MTfX3dl6uaz1+4+qMPzFuzRrZlDjkWT/24YGLjhQd73+HvLZgPHgp6tkJUcLO84pxx0z8+zewkaG8NcZdKudQlPftHBDdBh7egV1ZWWsxTUVk92pS1Q9X/cK9pzczAt7QpawX3Ix6+c4ereYYSXccauTs0cVswT/rwzOPkDnny9fD5shjnhxIaWBVtJMkJbs5pY/9S+MT7BU9UXDvt6LdOz47/tfiF//1049uqH50tepWgCslboG47pC7biH1/S8gh1Czfm1kYuDdjGpq81j/+TeeItvXOVzct1tQGwY0PXwcOJAo5LTL5eOnqIcZw5ABXEC5hYNsXVzHRcdbsRvzmxOzgxh6QseJ+zlIC5+05GfN8Q/LmxKWlhvr6GxbLQEdHb0NDp07XlJFRJZOdff2tOsfiqVdeq0z6qMJlP8zgJj4h6NkKUcHN1PzS2PS8ZWK2a+RB8+BEQ994TedIRdvQpZbBL29aBJZKOSqP64+YcUMAvAXddGdqV0a39Y42tuzm5prpgUdFshue8J27BIl3UZLAuC97h4x3Eb85sXBwwzfkye3hM17IPQaRgVWRRpKcbkKhPv3d8xEnczefUG++2X2Jpump2bGzXzx3PHuDImv9G5k/zK04Q2CFBCJyNiVX9o1Pb0quvNI7ihk3IRfcMG6Hzpoy48+XABfIaGVCoxy9cxVu9yKFKwiXPLDtvavGRmtqI/YqT7aRItx6lZtbpFTmpKfnK5X5x46lymTHWYunXo/Tfnj6S6EdtuQW8S64lgyrvccNcza+dW0Us5MQJj0EKcEt6Kv9M09+ZLsP8U8/7Dh7eVCbsnao+h/v3VwzI5rduOB2Xnw4QUY3wWI0WS433kj76tBb5zYcz9nwZs7GGx1fK/N3Hc3416Pp6xLS172f/2rljetwRSxCzXLjwIShe7Sibai4yTnRBjNuQiK4AUEArQxcwZUEgHDYJhOWq8y0HLehjCfbSBL39YqzeCotTX/mTP3Jk/68850EEOohtN+dbByYqOsdre64q711h9VPCJMegpTgFvTTabbUZmdaZ/LfLcsrtNFksWU3Td92s2bKAYIbUclB5FJ9uVJzICFjXUL6uiOp//LHj74vP/u9+A//+b3P9xfXaYN+eES5Ig2hZvmbzuEy1+VRYdgsI7gBnoJWBq7gSgJAOGyTCa8rT0IZBDdchBZPJSWlBf3giUKoh+CWoB85WBXcgn7p094TBS3PZ3a/Wdy/sLjieN4+7+bbnk66AcKSg0vljesq7Qfv5v4mIX3jn1IfT/rsxXOl71dcp4J+YAS6Igo0y27lILgB7kErA1dwJQEgHLbJBK786yo3tygrKy87+6Jj8VRGRlXQj5w0UOvCBG5Bnys2/GdWdzzfd35rU9ZaCfphhxY4m+AKch6OHAQ3wD04keAKriQAhMM2mcCV311Zr9aCfrQkg1oXJqCgIZko4ApyfJGD4Aa4BycSXMGVBIBw2CYTuIIrmAQBAgUNyUQBV5Djixzvg5v5xSUQJvSaB4N+DKECXMEVsUA4bJMJXMEVTIIAgYKGZKKAK8jxRQ6CG+AenEhwBVcSAMJhm0zgCq5gEgQIFDQkEwVcQY4vchDcAPfgRIIruJIAEA7bZAJXcAWTIECgoCGZKOAKcnyRg+AGuAcnElzBlQSAcNgmE7iCK5gEAQIFDclEAVeQ44scD4Ob/wcjUhNrp8rAsgAAAABJRU5ErkJggg==" width="944" /></P><P></P><P>Where the destination in an address object with my internal IP.&nbsp; Now of course I have NAT rules to statically NAT the traffic inbound and outbound.&nbsp; Outbound (handled by another rule), the log shows the internal IP address as the source IP.&nbsp; However, for inbound traffic the log shows the destination IP as the NAT address and does not catch on the rule above.&nbsp; Looking at the details of the log it shows that it is being NAT'd correctly and what not.&nbsp; Is this normal behavior?&nbsp; Do I need two objects (even though I know I don't need an object) for each IP, an external object and an internal object?&nbsp; Should the rule above contain the destination object of the external IP? </P><P></P><P>Just FYI, this behavior didn't always seem to be the case.&nbsp; As I went back through my logs I saw where it look as though this rule was catching as it should have been.&nbsp; Recently I went from one VR to three VRs to handle redundant ISPs.&nbsp; Could this be the reason we see it logged this way?</P><P></P><P>TIA,</P><P>Daniel</P></BODY></HTML> Mon, 10 Oct 2011 20:13:41 GMT dshue 2011-10-10T20:13:41Z https://live.paloaltonetworks.com/t5/general-topics/question-about-security-policies-and-nat/m-p/51384#M37797 <HTML><HEAD></HEAD><BODY><P>I'm working on developing my rule base prepping for implementation.&nbsp; I'm noticing that alot of my inbound rules, ie:</P><P></P><P><IMG height="31" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABegAAAAfCAIAAAATC7rMAAASW0lEQVR4nO2da3BT14HHMw3dnenMfuBrZ9ulW5Y0gIclFKbeTtOkNKQkeMmmpSlJlqHIj5RxVGrYVDjJDjFxwGlEiB+NH0RRDPFDMUkdY6u2hR3ZWhkbLhg/sPw2lmWMXxjj9+vuB72u7kuyHujo6s/8hpHlq6ur3zn3+J7/OefqEZrxr1Dz5bWm1vnFJRAm9JoHg34MoQJcwRWxQDhskwlc+dGVsa6FpucX5ib6+rovVzWfv3A1LU1/5kz9yZNFQT94okCtCxNQ0JBMFHAFOb7IWVzyiEcQ3IQzOJHgCq4kAITDNpnAlR9dlZYa6utvWCwDHR29DQ2dOl1TRkaVTHY2KSkt6AdPFKh1YQIKGpKJAq4gxxc5CG6Ae3AiwRVcSQAIh20ygSv/usrNLcrKysvOvqhU5h87liqTHc/IqAr6kZMGal2YgIKGZKKAK8jxRQ6CG+AenEhwBVcSAMJhm0zgyu+urFdrQT9akkGtCxNQ0JBMFHAFOb7IQXAD3IMTCa7gSgJAOGyTCVzBFUyCAIGChmSigCvI8UWO98GN0WQBYUI51R70YwgV4AquiAXCYZtM4AquYBIECBQ0JBMFXEGOL3IQ3AD34ESCK7iSABAO22QCV3AFkyBAoKAhmSjgCnJ8kYPgBrgHJxJcwZUEgHDYJhO4giuYBAECBQ3JRAFXkOOLHAQ3wD04keAKriQAhMM2mcAVXMEkCBAoaEgmCriCHF/kILgB7sGJBFdwJQEgHLbJBK7gCiZBgEBBQzJRwBXk+CIHwQ1wD04kuIIrCQDhsE0mcOW1K2We9nTB5bP5lX8t1OUUVJ3T1GQW1aVrGrIu1Hm4w5bcInN8gvRoyS1CrQNGFDQkEwZcQY4vciQV3ITA9UdsbPHe2Hbr/2Rcu3heVzyComQqqsS/JbuqfVo3DsRh+N1V2ANXEC5hYBuuHoIreWXPm51z2YNTX03Olk/OXhqfyhueyhiZS7p828MdmuMT6EcekR7m+ATUOmBEQUMyYcAV5Pgix7/BTZdSVRLl6DCzOs98femSMl1UaokVWVkXezOKkqXqlJR141ZFqkHNfVOKktn2YGiMjQ36tQJpuL128byucIXzF8fDDm74ah2Cm1AAriBcwsA2XD0EVwcr78Z30O/20WmDdOYQ/fFdOnWIfu8O/fbfBzzcIYIbJpuSK92yivIK3qUIcOBJ81LT/SAqq2dvTk/97Rl/vnsQK4D4W+sN1p6XQu+fj0BaG157q6Wq+Xx5Y2Lp9VcuUS9rryt0Nz+rbW0O+oER6IooIMetHL8GNxQlUxkUKnvU4i64KSnTOfvbplaFLbtxBjQlZTqZSmdrVkTaDvuvzAhuVn/t4nld4QoXKQt/VlbxffLWOgQ3oQBcQbiEgW1fXTU27nvhpcy0HGNjo9FkEXrsgtctf+h0sFmudn898usr9GvXl4+2Lh83LSvalt+7oH0n7/Lp3HKxxVPOAZiSvN0Hgn6hEpSLHwQ3YQK3oBsaGhITEx0/GnoeRGX1dIwtZdSMRJxq8+e7r/aK1LGl7zVHbA+tCueguH8Oiai/dzWttdobbxU3RP2tfs9X9Xu+vPL8xbrnvvi/3cUNiupmfdAPjyhXpLHaZjnoB/zw5fgzuCkp08nKutQavrkz3B+5DYd9A7XG9rxaY1DrDba9OR5wQXDjw7WL53WFK9z6QKkpcSb3thjF+gwjTGFO0mFNqrL/VXPZj8urGBNqPKx1zCPkfWuKktnywS6lim/qkJ9cMeaU6ZQUnzFTl1LlGPRYzV/T0AeuIFzCwLbXrowmS2Zazr4XXhKPbGyPmS8Mv+Bma/5EZDn9fNXyb2qXX61bPnBl2aPFUxT1/hvZ1vXaw3v2mNZvHdoReX9H5GjElmb74/s7Ioc2bh3asb2H8VvTY1t6/j3y/o7I+9u2mR7bNmr9376983n+x1t7Htti3mbbku+9+J7kvsWO7T3rHfvZ3rNxO/eZ4f/6rXf3uNmUXEkL/1tYXkFwE3JwC1oulzOzG2tqo2t/EHGqrWt8IeJU2/n6Mf+8+2orgB8rjPgIK++UefH9hEhwU9vaXEq9ebHuuS+MzxXW7i6sfTZf/2xBzTOfVz9zoXpnkeGYvqUpuEfIXsQg1v1x9lyEt5HUpYKHzfLyCj29sBRu2Y3fg5supXXWg94QxXuSu185ZZtrY+2KG01dSg1VYmpV2NIc4Rl99l21ZGebHtsW9KyEBO7viAzgPW5cYxFbuVjLnbG6zT6jqlVh36akTBelaeUPblj7YbxK9K+FQK2zvYTz1ow6ptAYFHqL0V7B/Hte8aA32D47+5Paf8V8EB7AFYRLGNj2xVVMdJw1lxHhz39+a98LLzFe1aVU2Vdeawz2K12DmvsXh5mjqagS5guFxoeIgeXq0cyZf/qC/kEpvbmS3l5FR1bRHi2eoqjivVIe6PJkyEqkh+AYzmU+3pRceW9mgdtPcK1Lrj8iuCEA3oKWy+Wjo6Nyudxosuz+uPu6eTbiVNs3HQ8iTrV1jC1FnGorpEZYL+EL3x3jlNyRS8czzGrQqkh1/pa9Q04LJjT6yO7DM+EOebJ7+M5jiFJRar4RBb47D7hpJMkJbsqvf1pYuyu/Ztfn1c+cr/pl7uWdn1U+rdY9pa7Yqb16VF3xq6+vZBNUIUW7P85OE8829uhNWo2MJ8HN4tLy5Nzi0OTspuTKvrHp8Mlu/B3cuDRMnPPftIrgxkhRMmtN1bTaJ0SITotg5AjSvhbx71WL9ycSbwDPnRFqDfXdPsN9Fe8z4kXPqnVCB2OyzedSawxql2oWSFfMP6L8n8tW88XSSSkCVxAuYWDbe1cmS0x0XErKmcXxxIXR1xeG//vtRFlMdFyjfudc/+Ozt7//tmJ/THTcDd06wRk3zCtd/qEC2xWFWsOZB0o2LFePf2D+iXr8Pz4d2/7JvSc+GduhHuUunjratiJvX0nI72WKkvbFko/BDfPfygo9v7g8Obc4MjXXPz7D7iSw6hL3xxCpVxJGKFOQy+VjY2NHjhxxBDc70zs7xpZOFLRsOHnr2u0pwX06w3f7ZAe9wZYRc59xzT74G3ZHUs++uvakD8/cFXfIk6+Hz1stHR9K6Go8RGbcFBn+9JnuF+rKp1XlT31S/vNz2iezSn+WW/n80HjLwuJ09c2/qCv+ENwj5M64WV03yj7aHeXEn+sGCJJjx5GhM5N0093JcFsz5efghnmbYVsi6yapEVwqZbt41RvsrZVBSYlOi0Bw49VVi/cnEjHBjWCtEw5uSsp0Cr21OnUpVc5qFhBXzL/iop9LrSlR6AVuvy1d4ArCJQxse+nKZDGaLDHRcZlpOQujR+aHD1375uWY6LjEN34/27959vYPGsq3xETHHf+f/TNdj4oFN7x/QRjdIZeL3dDpYPNe1x5Lot5JoQ5GV7/4uxru4qmXr6zsq1+OyzUzRRXv3h/0C5XA4Zh0LDLv2JMZN9a1UQ6aByc4PQRWXXL9MXTqlYQRyRTkcvng4GBiYqI2Za2hc+JEQcuJgpZd6R1/LOT7UjaR8N3ao9ELPMNt83l3aOK0YJ5cPzOuhJ3zdJh74Pbw2bsVHVEIteBGVb4nu+xnOWVPntftzSl9Kr048uNLvxyeaKdpenpu7Fxp1JmLTxFUIb0ObiTasIg0y8srKzPzSyNT833j0y2D96/0jura715quXOxcQDBjRfBjWuQ7Fg1IzrFRuDmxBajyaLW6GQqZ24tU+nEJjAzmhXHsm1z/GHd7v15vN+6HRtbvO+wy/dzxx/W7d6vO5hgjk9of+VA3r7DZuY3drt8h7fcuNe2pYPGfQeK9x4wxiaY4xPMBw8V7z1Q/IqcsXP7bh07Efo68IOH8uyHYeZu4/KM8Kfz3wopVl3hFS7SmjBWJ3FHDJz3nxYYfHbmeq71xLNaJzRYYbIYKUphr04lZQaFxuDf1aFCLbLwJ7U/DoVZ+v4FriBcwsC2l65MFqM9uJkfiZu/+7uUdw/GRMdpi341179+tve7KUkvxkTHaQu2zHStyfYyuLFuz+hjh851MNfVtQbztQZz09W2rLOG12NruYunflxNR1TRL59zWSplu1iKjTWt3xr0nCWgCI1jic+4WVpemVlYujezMDQ52zs2fWtokuofN/SMCvQQBOKb0KlXEkYkU+gcX7CmNjOWR7Upa9e/c2vDyVvHLgqlNiJfgrH64Ia7Q+4Dz4Ibl4P0pIfPfBe3IwqhFtx8fOnZtL/9JOPrJ7sHa6ZmRwuqY/qHr9E0PT03/knZb5PPR5zO+ylBFVJgXMHN/SWYU6ukhVCzvLi0sim5cmhyjnVz4ouNAwhuvApu2OezvcFipryU648mi9F1xgSzCrr01SnGzEAuzt1y/kbyTCO04lyrudob6Ja4bMk4tQSOVm1fiWoLwt1kpaKrFj39dIGqK26Ec9N9nkSfXe4uWlgf0/5thS5jCJ7UOv7CYl5RMeay+tshq9HhrwA8x2+/Wc9DKVBCgCsIlzCw7bUroyO4GX61/eqvY6LjDv8h5l7n5tm+75kM/xYTHXf4teix1u/MdK3hmXHDP6TMHipQ2KIxu23GNoTDdlXXQtPzC3MTfX3dl6uaz1+4+qMPzFuzRrZlDjkWT/24YGLjhQd73+HvLZgPHgp6tkJUcLO84pxx0z8+zewkaG8NcZdKudQlPftHBDdBh7egV1ZWWsxTUVk92pS1Q9X/cK9pzczAt7QpawX3Ix6+c4ereYYSXccauTs0cVswT/rwzOPkDnny9fD5shjnhxIaWBVtJMkJbs5pY/9S+MT7BU9UXDvt6LdOz47/tfiF//1049uqH50tepWgCslboG47pC7biH1/S8gh1Czfm1kYuDdjGpq81j/+TeeItvXOVzct1tQGwY0PXwcOJAo5LTL5eOnqIcZw5ABXEC5hYNsXVzHRcdbsRvzmxOzgxh6QseJ+zlIC5+05GfN8Q/LmxKWlhvr6GxbLQEdHb0NDp07XlJFRJZOdff2tOsfiqVdeq0z6qMJlP8zgJj4h6NkKUcHN1PzS2PS8ZWK2a+RB8+BEQ994TedIRdvQpZbBL29aBJZKOSqP64+YcUMAvAXddGdqV0a39Y42tuzm5prpgUdFshue8J27BIl3UZLAuC97h4x3Eb85sXBwwzfkye3hM17IPQaRgVWRRpKcbkKhPv3d8xEnczefUG++2X2Jpump2bGzXzx3PHuDImv9G5k/zK04Q2CFBCJyNiVX9o1Pb0quvNI7ihk3IRfcMG6Hzpoy48+XABfIaGVCoxy9cxVu9yKFKwiXPLDtvavGRmtqI/YqT7aRItx6lZtbpFTmpKfnK5X5x46lymTHWYunXo/Tfnj6S6EdtuQW8S64lgyrvccNcza+dW0Us5MQJj0EKcEt6Kv9M09+ZLsP8U8/7Dh7eVCbsnao+h/v3VwzI5rduOB2Xnw4QUY3wWI0WS433kj76tBb5zYcz9nwZs7GGx1fK/N3Hc3416Pp6xLS172f/2rljetwRSxCzXLjwIShe7Sibai4yTnRBjNuQiK4AUEArQxcwZUEgHDYJhOWq8y0HLehjCfbSBL39YqzeCotTX/mTP3Jk/68850EEOohtN+dbByYqOsdre64q711h9VPCJMegpTgFvTTabbUZmdaZ/LfLcsrtNFksWU3Td92s2bKAYIbUclB5FJ9uVJzICFjXUL6uiOp//LHj74vP/u9+A//+b3P9xfXaYN+eES5Ig2hZvmbzuEy1+VRYdgsI7gBnoJWBq7gSgJAOGyTCa8rT0IZBDdchBZPJSWlBf3giUKoh+CWoB85WBXcgn7p094TBS3PZ3a/Wdy/sLjieN4+7+bbnk66AcKSg0vljesq7Qfv5v4mIX3jn1IfT/rsxXOl71dcp4J+YAS6Igo0y27lILgB7kErA1dwJQEgHLbJBK786yo3tygrKy87+6Jj8VRGRlXQj5w0UOvCBG5Bnys2/GdWdzzfd35rU9ZaCfphhxY4m+AKch6OHAQ3wD04keAKriQAhMM2mcCV311Zr9aCfrQkg1oXJqCgIZko4ApyfJGD4Aa4BycSXMGVBIBw2CYTuIIrmAQBAgUNyUQBV5Djixzvg5v5xSUQJvSaB4N+DKECXMEVsUA4bJMJXMEVTIIAgYKGZKKAK8jxRQ6CG+AenEhwBVcSAMJhm0zgCq5gEgQIFDQkEwVcQY4vchDcAPfgRIIruJIAEA7bZAJXcAWTIECgoCGZKOAKcnyRg+AGuAcnElzBlQSAcNgmE7iCK5gEAQIFDclEAVeQ44scD4Ob/wcjUhNrp8rAsgAAAABJRU5ErkJggg==" width="944" /></P><P></P><P>Where the destination in an address object with my internal IP.&nbsp; Now of course I have NAT rules to statically NAT the traffic inbound and outbound.&nbsp; Outbound (handled by another rule), the log shows the internal IP address as the source IP.&nbsp; However, for inbound traffic the log shows the destination IP as the NAT address and does not catch on the rule above.&nbsp; Looking at the details of the log it shows that it is being NAT'd correctly and what not.&nbsp; Is this normal behavior?&nbsp; Do I need two objects (even though I know I don't need an object) for each IP, an external object and an internal object?&nbsp; Should the rule above contain the destination object of the external IP? </P><P></P><P>Just FYI, this behavior didn't always seem to be the case.&nbsp; As I went back through my logs I saw where it look as though this rule was catching as it should have been.&nbsp; Recently I went from one VR to three VRs to handle redundant ISPs.&nbsp; Could this be the reason we see it logged this way?</P><P></P><P>TIA,</P><P>Daniel</P></BODY></HTML> Mon, 10 Oct 2011 20:13:41 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-security-policies-and-nat/m-p/51384#M37797 dshue 2011-10-10T20:13:41Z https://live.paloaltonetworks.com/t5/general-topics/question-about-security-policies-and-nat/m-p/51385#M37798 <HTML><HEAD></HEAD><BODY><P>yes, the inbound traffic will need to use a security policy with an address object that uses the external (public) IP address. </P><P></P><P>-Benjamin</P></BODY></HTML> Mon, 10 Oct 2011 20:37:15 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-security-policies-and-nat/m-p/51385#M37798 bpappas 2011-10-10T20:37:15Z https://live.paloaltonetworks.com/t5/general-topics/question-about-security-policies-and-nat/m-p/51386#M37799 <HTML><HEAD></HEAD><BODY><P>Inbound connection for security policy should reflect the destination's public ip. Nat rule will dnat it to a private address. Perhaps that's the reason for the logging discrepancy. Also, I would put your inbound NAT above your source nat rule for outbound access. It'd be nice to be able to look at your session table if this issue perists, however. </P></BODY></HTML> Mon, 10 Oct 2011 20:37:49 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-security-policies-and-nat/m-p/51386#M37799 gswcowboy 2011-10-10T20:37:49Z