https://live.paloaltonetworks.com/t5/general-topics/wildfire-alert-reporting-source-and-destination-nats-that-aren-t/m-p/127961#M46626 <P>Greetings,</P><P>&nbsp;</P><P>We've had several Wildfire Alerts that show both the source and destination addresses translated yet NAT is not configured.&nbsp; For the subject data flow, the source is an external network for which we have no control.&nbsp; The destination is our client.&nbsp; The Alert shows that that the Source address is being translated to another address that is not under our control.&nbsp; The destination address is shown as being translated to our firewall's address.&nbsp; NAT is not configured for either situation in our PA firewalls.&nbsp; Any ideas?&nbsp;</P><P>&nbsp;</P><P>Thanks!</P> Mon, 21 Nov 2016 23:03:24 GMT jstcolorado 2016-11-21T23:03:24Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-alert-reporting-source-and-destination-nats-that-aren-t/m-p/127961#M46626 <P>Greetings,</P><P>&nbsp;</P><P>We've had several Wildfire Alerts that show both the source and destination addresses translated yet NAT is not configured.&nbsp; For the subject data flow, the source is an external network for which we have no control.&nbsp; The destination is our client.&nbsp; The Alert shows that that the Source address is being translated to another address that is not under our control.&nbsp; The destination address is shown as being translated to our firewall's address.&nbsp; NAT is not configured for either situation in our PA firewalls.&nbsp; Any ideas?&nbsp;</P><P>&nbsp;</P><P>Thanks!</P> Mon, 21 Nov 2016 23:03:24 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-alert-reporting-source-and-destination-nats-that-aren-t/m-p/127961#M46626 jstcolorado 2016-11-21T23:03:24Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-alert-reporting-source-and-destination-nats-that-aren-t/m-p/128017#M46630 <P>Check the ports.&nbsp;TCP connection was probably in the other direction; from client to internet for which you have destination (hide) NAT. Like normal web browsing session goes.</P> Tue, 22 Nov 2016 07:04:11 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-alert-reporting-source-and-destination-nats-that-aren-t/m-p/128017#M46630 santonic 2016-11-22T07:04:11Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-alert-reporting-source-and-destination-nats-that-aren-t/m-p/128198#M46661 <P>The flow started with out client connecting via TCP 80 to an external web server.&nbsp; The web server, in return, downloaded software to our client.&nbsp; This thread is focused&nbsp; on the server to client communication - Server [TCP-80] to client [61905].</P><P>&nbsp;</P><P>The server IP is shown in the Wildfire Threat alert as being translated to another external IP.&nbsp; The client is being shown as being translated to our&nbsp;firewalls IP.&nbsp; What's interesting is that the client IP is also seen in PCAPs going to other Internet sites without address translation and we've&nbsp; verified that we have&nbsp;no firewall configurations to translate the client IP.&nbsp; The server IP was also seen in another Wildfire Threat Alert and the Alert specifies that it was translated to yet another address.&nbsp; Here are the threat alerts that show the server IP being tranlated to two different addresses.&nbsp; Note that I used ficticious addresses for the purpose of this exampbe</P><P>&nbsp;</P><P>Threat Allert #1: medium:&nbsp;1.1.1.1 -&gt;2.2.2.2 Windows Executable</P><P>subtype: wildfire</P><P>category: malicious</P><P>direction: server-to-client</P><P>src: 1.1.1.1 (remote server)</P><P>dst: 2.2.2.2 (our client)</P><P>natsrc: 3.3.3.3 (??????)</P><P>natdst: 4.4.4.4 (Local PA firewall IP)</P><P>&nbsp;</P><P>Threat Alert #2: medium: 1.1.1.1 -&gt; 2.2.2.2 Windows Executable</P><P>subtype: wildfire</P><P>category: malicious</P><P>direction: server-to-client</P><P>src: 1.1.1.1 (same remote server)</P><P>dst: 2.2.2.2 (same client)</P><P>natsrc: 5.5.5.5 (server translated to a differnet IP this time)</P><P>natdst: 4.4.4.4 (Local PA firewall IP)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 22 Nov 2016 15:55:31 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-alert-reporting-source-and-destination-nats-that-aren-t/m-p/128198#M46661 jstcolorado 2016-11-22T15:55:31Z