topic Re: Does Palo Alto do NAT before doing Policy Based Forwarding in General Topics

Does Palo Alto do NAT before doing Policy Based Forwarding

Jedi_D — Mon, 11 May 2020 23:10:37 GMT

Hello Folks,

I'm trying to set up my Palo Alto to do Policy Based Forwarding.

Does PA do NAT before Policy Based Forwarding???

I've created Policy based forwarding to send traffic to an interface, if it is sourced from an address. 10.0.0.0/24

BUT it's seems to be failing ... sometimes. I've noticed that it fails when the source traffic is NATTED first.

So there is a NAT that changes the source address from 10.0.0.0/24 to 20.0.0.0/24

The PA doesn't do the Policy Based Forwarding, because it doesn't see the traffic come from 10.0.0.0/24 as it is natted.

Does that mean that the NAT is done before the Policy Based Forwarding? I guess it is?

If I only want traffic to be policy forwarded if sourced from 10.1.0.0/16. So would my work around be to create a NAT policy, and if it matches 10.1.0.0/16 then do not NAT? That way it will then keep the source address and be policy forwarded instead?

Any thoughts would be appreciated?

Re: Does Palo Alto do NAT before doing Policy Based Forwarding

reaper — Tue, 12 May 2020 07:12:44 GMT

NAT is performed after PBF, as it can only be applied after the egress interface is determined (so after pbf and route lookus)

how did you configure your PBF rule? did you add an application as a match condition? (as that will have an impact on how pbf is able to intercept and redirect sessions : it doesn't know what an application is by the SYN packet so it first needs to determine that)

Re: Does Palo Alto do NAT before doing Policy Based Forwarding

Jedi_D — Tue, 12 May 2020 07:41:41 GMT

Thanks for replying Reaper L7 Applicator ... nice name.

The application is any.

The service is any,

I'm wondering if I should set them to application-default.

I've noticed that where it's not working, (not getting Policy based forwarding), it is getting NATTED first.

Re: Does Palo Alto do NAT before doing Policy Based Forwarding

reaper — Tue, 12 May 2020 07:53:35 GMT

Thanks Jedi_DL L2 Linker 😉

(The L7 thing is my community rank, not my name 🙂 )

That would mean pbf is not hit and then nat is applied on the default route egress,

unless the session goes through the firewall twice and is picking up NAT in a different session?

Did you set a next hop IP so the session can get routed out or is the destination located on the interface subnet?

Re: Does Palo Alto do NAT before doing Policy Based Forwarding

Jedi_D — Tue, 12 May 2020 08:00:51 GMT

For the next hop on the policy based forwarding (PBF) , I gave both the interface it should leave, and the next hop IP address on that subnet.

I still cant understand why for some traffic it is not hitting the PBF

I can see that for one host in the PBF source range, it is getting corrected policy based forwarded.

Both for another host also in the PBR range, it is being natted first, and therefore not policy based forwarded.

Re: Does Palo Alto do NAT before doing Policy Based Forwarding

Jedi_D — Thu, 21 May 2020 13:07:44 GMT

Hello Folks,

We found out why the PBF was not working.... I think it is a bug, we had to take out the next hop IP address from the PBF statement. We left the interface for the next hop only. This allowed the PBF to work. I don't know why using an IP address for the next hop doesn't work. I suspect it is because we have a pair of active-active firewalls.

We also we tried all the different binding options in the PBF statement on both firewalls.