https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/381286#M89739 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;,</P><P>&nbsp;</P><P>Thank you for your answers. Do you know if there´s any&nbsp;<SPAN>KB link where that behavior is explained?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Kind Regards!</SPAN></P> Thu, 21 Jan 2021 19:58:18 GMT Carracido 2021-01-21T19:58:18Z https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/379663#M89597 <P>Dear community,</P><P>&nbsp;</P><P>We have a firewall with multi-vsys and the following scenario:</P><P><SPAN>&nbsp;1 shared gateway and 1 public IP on external zone</SPAN><BR /><SPAN>&nbsp;1 virtual system and 1 private IP on internal zone</SPAN></P><P>&nbsp;</P><P>We configured DNAT to allow access to private IP from Internet following this article:<BR /><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHxCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHxCAK</A></SPAN></P><P>&nbsp;</P><P><SPAN>Observations to this configuration:</SPAN></P><P><SPAN>- Our&nbsp;"inbound web" security policy worked allowing only the internal IP and not including the public one.</SPAN></P><P><SPAN># Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?</SPAN></P><P>&nbsp;</P><P><SPAN>- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone =&nbsp;untrust_SG and destination zone = trust_vsys.</SPAN></P><P><SPAN># Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?</SPAN></P><P><SPAN>It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Thank you!</SPAN></P><P>&nbsp;</P> Wed, 13 Jan 2021 20:17:18 GMT https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/379663#M89597 Carracido 2021-01-13T20:17:18Z https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/379807#M89620 <P>hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/24977">@Carracido</a>&nbsp;</P><P>&nbsp;</P><BLOCKQUOTE><BR /><P><SPAN>- Our&nbsp;"inbound web" security policy worked allowing only the internal IP and not including the public one.</SPAN></P><P><SPAN># Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?</SPAN></P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>A1: yes, the SG performs NAT so the internal VSYS no longer needs to do the dnat lookup/security match</P><P>&nbsp;</P><BLOCKQUOTE><P>&nbsp;</P><P><SPAN>- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone =&nbsp;untrust_SG and destination zone = trust_vsys.</SPAN></P><P><SPAN># Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?</SPAN></P><P><SPAN>It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.</SPAN></P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>A2:&nbsp; the shared gateway is not a fullblown vsys, it is 'shared' so some behavior is different from a regular vsys: it performs some rudimantary tasks, like NAT and routing, but packets are handed off to the actual sending/receiving vsys (because of tha lack of security policy)</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Jan 2021 10:22:09 GMT https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/379807#M89620 reaper 2021-01-14T10:22:09Z https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/381286#M89739 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;,</P><P>&nbsp;</P><P>Thank you for your answers. Do you know if there´s any&nbsp;<SPAN>KB link where that behavior is explained?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Kind Regards!</SPAN></P> Thu, 21 Jan 2021 19:58:18 GMT https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/381286#M89739 Carracido 2021-01-21T19:58:18Z https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/415597#M93276 <P>I have a strange behavior in the similar scenario.</P><P>We configured a destination nat with original port 10443 and traslated to port 443 on shared gateway.</P><P>In order to allow traffic to internal web server we opened port 10443 instead of 443 on security policy of internal virtual system.</P><P>Why I see traffic on port 443 of internal virtual system when the NAT is configured on shared gateway?</P><P>Best Regards</P><P>Marco</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 28 Jun 2021 13:21:46 GMT https://live.paloaltonetworks.com/t5/general-topics/behavior-in-multi-vsys-with-shared-gateway-and-dnat-policies/m-p/415597#M93276 MarcoBergonzoni 2021-06-28T13:21:46Z