https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10260#M7541 <HTML><HEAD></HEAD><BODY><P>Hi Guys</P><P></P><P>According to document , if there's destination NAT , there'll be second routing lookup to decide outbound zone &amp; interface. But I'm very confused when there's routing and PBF together, In the second routing lookup, how does PBF rule work? Does PBF work based on Pre-NAT destination address or Post-NAT destination address? According to document at the second lookup process works based on POST-NAT destination address, that means if the routing table works fine, it should follow routing table lookup result. But in my customers networks it doesn't look like that.. Using PBF and U-Turn NAT together is really kind of a mess.</P><P></P><P>Thank you very much.</P></BODY></HTML> Fri, 06 Sep 2013 05:27:01 GMT JTR 2013-09-06T05:27:01Z https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10260#M7541 <HTML><HEAD></HEAD><BODY><P>Hi Guys</P><P></P><P>According to document , if there's destination NAT , there'll be second routing lookup to decide outbound zone &amp; interface. But I'm very confused when there's routing and PBF together, In the second routing lookup, how does PBF rule work? Does PBF work based on Pre-NAT destination address or Post-NAT destination address? According to document at the second lookup process works based on POST-NAT destination address, that means if the routing table works fine, it should follow routing table lookup result. But in my customers networks it doesn't look like that.. Using PBF and U-Turn NAT together is really kind of a mess.</P><P></P><P>Thank you very much.</P></BODY></HTML> Fri, 06 Sep 2013 05:27:01 GMT https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10260#M7541 JTR 2013-09-06T05:27:01Z https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10261#M7542 <HTML><HEAD></HEAD><BODY><P>Would any of these docs be of any help?</P><P></P><P>Understanding PAN-OS NAT</P><P><A class="jive-link-wiki-small" data-containerid="2021" data-containertype="14" data-objectid="1517" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-1517">https://live.paloaltonetworks.com/docs/DOC-1517</A></P><P></P><P>Packet Flow in PAN-OS</P><P><A class="jive-link-wiki-small" data-containerid="2027" data-containertype="14" data-objectid="1628" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-1628">https://live.paloaltonetworks.com/docs/DOC-1628</A></P></BODY></HTML> Fri, 06 Sep 2013 05:34:43 GMT https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10261#M7542 mikand 2013-09-06T05:34:43Z https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10262#M7543 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>PBF lookup happens in pre-NAT IP address. Also in PAN firewall NAT evaluate at first with original IP but Apply at the end of flow.</P><P></P><P><STRONG>Packet flow on PAN firewall:-</STRONG></P><P><IMG alt="packet-flow.JPG.jpg" class="jive-image" height="333" src="https://live.paloaltonetworks.com/legacyfs/online/8069_packet-flow.JPG.jpg" style="width: 496px; height: 333.1221122112211px;" width="496" /></P><P></P><P></P><P>Few more information regarding the same.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1507">Fowarding</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3241">Testing Security, NAT and PBF Rules via the CLI</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3349">Inbound NAT Policy with Outbound PBF Causing IP-Spoofing Drops</A></P><P><A href="https://live.paloaltonetworks.com/message/26245">NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1628">Packet Flow in PAN-OS</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 06 Sep 2013 06:23:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10262#M7543 HULK 2013-09-06T06:23:55Z https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10263#M7544 <HTML><HEAD></HEAD><BODY><P>Thanks a lot . I'll read these document. Hava a nice day!</P></BODY></HTML> Fri, 06 Sep 2013 07:05:48 GMT https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/10263#M7544 JTR 2013-09-06T07:05:48Z https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/585352#M116868 <P>Sorry to revive this 10 years later. Documentation is not specific enough for me. But in my experience:</P> <UL> <LI>&nbsp;If there is Dest NAT there will be a second routing lookup, that will include a second PBF lookup. To be clear, the moment there is Dest NAT it will ignore all previous PBF/routing lookups and evaluate both again.</LI> <LI>The IP addresses used in the second routing/PBF lookup are: PRE-NAT source, and POST-NAT destination.</LI> </UL> <P>&nbsp;</P> <P>As I said, official documentation is quite good, but I missed those specific issues.</P> Tue, 30 Apr 2024 15:02:27 GMT https://live.paloaltonetworks.com/t5/general-topics/pbf-with-nat-how-does-it-works/m-p/585352#M116868 AGrijalba 2024-04-30T15:02:27Z