09-21-2018 04:05 PM
I have three feature requests that are all related, that I think everyone will appreciate.
1) When converting ASA configs, true like for like bi-directional 1-to-1 NATs should be created, not the horrible implicit rule that Palo Alto Creates i.e. the reverse traffic zone becomes the same in both the source and dest zone fields from the original destination, with the exact original destination that is now the source.
2) Create a right-click option or button that does what I described in #1
3) allow me to multi-edit and turn off the bi-directional option if the selected rules are all source NATs
09-22-2018 12:20 AM - edited 09-22-2018 12:22 AM
Hi,
version 1.0.107 will come with thr Nat Rule Action to massively enable or disable bidirectional check. MT-710 (release Oct 1st 2018)
version Expedition 1.1 will come with a function to split a static-ip nat in two, one dynamic-ip-port and another DNAT. MT-711 (TBD)
09-22-2018 04:29 AM
09-25-2018 07:58 AM
Albert, is there a release notes section somewhere?
09-25-2018 08:25 AM
It was !!! Im checking with IT to see what happened. Thanks
09-25-2018 08:33 AM
Release Notes, It should show under Expedition Articles but https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Release-Notes-for-Hotfixes/ta-p/...
09-25-2018 08:38 AM
Apparently there is still a problem with this.
09-25-2018 08:53 AM
Bingo, thank you sir!
11-05-2019 06:43 AM - edited 11-05-2019 06:44 AM
Will the split bi-directional nat function be available soon?
06-13-2023 12:33 AM - edited 06-13-2023 01:03 AM
If there is still a general need to migrate PANOS bi-dir-nat policy into two separate NAT policy, one for SRC one for DST,
you can use PAN-OS-PHP:
https://github.com/PaloAltoNetworks/pan-os-php
This Framework is available also as Docker Container:
docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest
the syntax to change bi-dir-nat into two NAT policy, where the migration is exactly the PAN-OS behaviour, to create the second hidden NAT rule as a configured one; please be aware, as the generated NAT rule, is exactly how PAN-OS FW behave, please adjust this NAT rule and configure specific SRC IP addresses in another config change step.
offline config manipulation:
pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=input.xml out=output.xml location={{DeviceGroup/virtual-system}}
or usine PAN-OS XML API:
pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=api://{{MGMT-IP}} location={{DeviceGroup/virtual-system}}
This functionality to handle bi-dir-nat policy and split them , is available since March 22nd 2016, and was introduced by myself in the former tool called pan-configurator:
https://github.com/swaschkut/pan-configurator/commit/22472b0d5f84604474e882e111130eb71372e8c9
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
