Security policy zones after a source NAT

LCMember4380 — Tue, 25 Jul 2017 12:43:12 GMT

Hi,

I'm migrating my security policy from a netscreen firewall to a Palo Alto firewall. I used the migration tool and I'm currently reviewing the NAT rules, and I'm getting a bit confused about security zones after NAT.

- I have 3 interfaces : Trust, Unstrust, DMZ.

- I have a public IP range, that has nothing to do with the Untrust interface. My Untrust interface is 1.1.1.1, and my public IP range is 2.2.2.0/24.

- 2.2.2.0/24 is routed to Trust interface.

- Now I have a server in DMZ, with IP 192.168.1.9 with the gateway 192.168.1.1 (DMZ interface)

- So I have a NAT from DMZ (adress 192.168.1.9) to Untrust (any) that translates the source IP into 2.2.2.9.

==> The question is to know the source zone for my security policy?

is it DMZ or is it Trust ? Is the reverse route evaluated after source NAT ?

solution 1: from DMZ to Untrust

In the "understanding and configuring NAT" tech note from Palo Alto, the life of a packet diagram says to re-evaluate the route lookup after the NAT in case of translation on a destination address, so the destination zone is re-evaluated for the security policy. But in case of source address translation, it says to go directly to security policy.

solution 2: from Trust to Untrust

On the other hand, this link says the following :

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/nat.html

"Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones"

See, zones is plural here, so are both routes for source and destination re-evaluated ?

Does anyone have an example like mine in production environment?

Re: Security policy zones after a source NAT

Raido_Rattameister — Tue, 25 Jul 2017 14:24:44 GMT

Palo first checks if traffic flows on permitted ip/port.

Then identifies application.

Then does threat.

And if traffic passes all checks then IP is changed in the packet.

Every interface belongs to zone.

If traffic enters firewall it comes from zone and SOURCE ZONE NEVER CHANGES.

Now if it is SNAT (traffic that comes from DMZ to Untrust) then in NAT policy source zone is DMZ and destination zone is Untrust. Same in security policy.

Different story is with DNAT if traffic comes from Untrust and goes to DMZ.

Traffic comes from Untrust zone because it enters firewall from interface that is in Untrust zone.

Now as traffic is destined to your public IP that according to routing table is in Untrust zone your NAT zones are:

Untrust > Untrust and from any source IP to your wan IP.

NAT is evaluated and destination zone is changed in packet metadata BUT NOT DESTINATION IP.

Security policy is checked when IP is still destined to original public IP so zone config matches correct destination zone:

Untrust > DMZ but IP is still wan IP.

🙂

topic Security policy zones after a source NAT in General Topics

Security policy zones after a source NAT

Re: Security policy zones after a source NAT