nat with port forwarding issue (migrating from MS-TMG)

L1 Bithead

nat with port forwarding issue (migrating from MS-TMG)


when migrating rules from MS-TMG to PAN i have encountered folowing situation:

a. web server A is in private dmz zone

b. web server B is in inside zone

Both are listenig on port 80. Problem is in the fact that both are published on the same public IP address. This is supported on TMG, with some kind of url forwarding but i dont know if PAN can support this kind of design.

I tried to create port forwarding but one rule shadows the another, even with PBF.

Any suggestion?

L6 Presenter

Re: nat with port forwarding issue (migrating from MS-TMG)

As far as I know PA doesnt support loadbalancing based on content (for that purpose use F5 or similar devices which you can place behind a PA).

So in your case you have to either:

1) Server A gets publicip:TCP80, Server B gets publicip:TCP81 (or whatever port you want to use).


2) Server A gets publicip1:TCP80, Server B gets publicip2:TCP80.

L1 Bithead

Re: nat with port forwarding issue (migrating from MS-TMG)

Your options are ok, i had them in mind, but i hoped that PA had some similar feature like TMG to ease migration procedures. I'll get back with results after i do some more tests.


L2 Linker

Re: nat with port forwarding issue (migrating from MS-TMG)

definitely what TMG does is not possibe with a PA and mikand's answer provides the only choices we have to migrate TMG. The company I'm working for has also a TMG and I've get to handle the migration coming soon.

I've talked this issue through with an SE from PAN to a definite answer on this.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!