Security polices and nat and cluster

Alex_Samad — Tue, 01 Aug 2017 08:45:08 GMT

So I have a active / active cluster, but I am not sync my VR config. I am connected to an OSPF network

lets say my internal network is

OSPF int ae1.19 192.168.19.0/24

loopback.1 192.168.255.25/32 and 192.168.255.26/32 - ospf routerid (one for each PA)

appserver int ae1.25 192.168.25 .2 .3 .1 (.2 & .3 are the router ips, .1 is the HA VIP)

loopback.2 8.8.8.8/32 my ficticious public routed ip

server ip 192.168.25.25/24

so I have 3 NAT rules

1) any any to 8.8.8.8/32 port 443 -> 192.168.25.25 port 10000

2) any any to 8.8.8.8/32 port 80 -> 192.168.25.25 port 10001

3) any any to 8.8.8.8/32 any port -> 192.168.25.25 same port

Now I want to allow any ip to ping 8.8.8.8 does my security policy need to say ping to 8.8.8.8 or ping to 192.168.25.25 because its the destination ?

if I want to allow people to access http://8.8.8.8 do I make a security rule for 8.8.8.8 port 80 or 8.8.8.8 port 10000. and the same with https://8.8.8.8

now if its on a cluster that is active active, do I need to make 8.8.8.8/32 a HA vip or can I just assign it to both PAs ? will the NAT info be shared between the 2 PA's or will it only be shared if its a arp shared ip

thanks

Re: Security polices and nat and cluster

Raido_Rattameister — Tue, 01 Aug 2017 14:22:54 GMT

NAT is evaluated first and based on routing table destination zone is changed in packet metadata.

Security policy is checked with new destination zone but original destination IP.

NAT is applied and packet checksum calculated right before packet is sent out to wire.

Re: Security polices and nat and cluster

Alex_Samad — Wed, 02 Aug 2017 00:42:35 GMT

found it in the doco too

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/nat-configuration-examples

topic Re: Security polices and nat and cluster in General Topics

Security polices and nat and cluster

Re: Security polices and nat and cluster

Re: Security polices and nat and cluster