topic Re: The source port was natted to multiple source ports while the packets leaving the FW in General Topics

The source port was natted to multiple source ports while the packets leaving the FW

DongQu — Thu, 08 Jul 2021 08:37:15 GMT

Hello everyone

The NAT type we are using is "Dynamic IP and Port", the Palo Alto Networks firewall translates the source IP address or range to a single IP address.

for this conversion, when the packets arriving the FW, we can see the source port is all the same

But while the packets leaving the FW, the source port was natted to multiple ports

This brings a problem that the destination will close the conversion once it detects the source port changed.

Is there any way to keep the source port is natted to a single port all the time?

Thanks

Re: The source port was natted to multiple source ports while the packets leaving the FW

BPry — Thu, 08 Jul 2021 18:53:07 GMT

@DongQu,

It's doing what you're asking it to. You would want this traffic hitting a NAT rulebase entry using "Dynamic IP" as the translation type instead of "Dynamic IP and Port". Due to this traffic likely hitting a global rule utilized across the environment, I would recommend creating a new rule and making it as specific as possible so that it's only matching the intended traffic.

Re: The source port was natted to multiple source ports while the packets leaving the FW

Remo — Thu, 08 Jul 2021 21:57:13 GMT

Hi @DongQu

As @BPry wrote the firewall is doing what it is configured to. For every session it assigns a "random" source port for the NATed connection. The reason that the source port after NAT changes because the firewall sees these as new sessions. By default the UDP timeout is 30 seconds. So if there is no traffic more than 30 seconds the session is removed from the sessiontable and for the next packet a new session is created in the session table. In your situation it should work if you increase the session timeout for this UDP traffic because then as long as there is traffic the firewall will also keep the same source port after NAT is applied.

Re: The source port was natted to multiple source ports while the packets leaving the FW

DongQu — Fri, 09 Jul 2021 01:40:32 GMT

Hi @Remo

I've tried to increasing the session timeout, unfortunately it did not work.

As I only have 1 public IP for natting, is it possible to create a separate nat policy for a particular traffic?

Thanks

Re: The source port was natted to multiple source ports while the packets leaving the FW

Remo — Fri, 09 Jul 2021 06:49:44 GMT

@DongQu

What application does your firewall see for this traffic in the logs?

Regarding the separate policy: With only one IP I would not recommend that. Mainly because you still need this IP for the general dynamic IP and port NAT rule. It might work, but I personally would not mix that.

Re: The source port was natted to multiple source ports while the packets leaving the FW

DongQu — Fri, 09 Jul 2021 07:33:46 GMT

hello @Remo

"unknown udp", so I defined an application and specified the "udp timeout", it worked.

but I am not sure why the "session timeout" does not work in the global setting.