Bi-directional NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bi-directional NAT

L2 Linker

I have three feature requests that are all related, that I think everyone will appreciate.

 

1) When converting ASA configs, true like for like bi-directional 1-to-1 NATs should be created, not the horrible implicit rule that Palo Alto Creates i.e. the reverse traffic zone becomes the same in both the source and dest zone fields from the original destination, with the exact original destination that is now the source.

2) Create a right-click option or button that does what I described in #1

3) allow me to multi-edit and turn off the bi-directional option if the selected rules are all source NATs

10 REPLIES 10

L7 Applicator

Hi,

 

version 1.0.107 will come with thr Nat Rule Action to massively enable or disable bidirectional check. MT-710 (release Oct 1st 2018)

version Expedition 1.1 will come with a function to split a static-ip nat in two, one dynamic-ip-port and another DNAT. MT-711 (TBD)

 

This is fantastic news, I owe you and your team a round

Albert, is there a release notes section somewhere?

It was !!! Im checking with IT to see what happened. Thanks

Apparently there is still a problem with this.

2018-09-25_10-36-31.png

Bingo, thank you sir!

Will the split bi-directional nat function be available soon?

L3 Networker

If there is still a general need to migrate PANOS bi-dir-nat policy into two separate NAT policy, one for SRC one for DST,
you can use PAN-OS-PHP:
https://github.com/PaloAltoNetworks/pan-os-php

This Framework is available also as Docker Container:

docker run  --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest


the syntax to change bi-dir-nat into two NAT policy, where the migration is exactly the PAN-OS behaviour, to create the second hidden NAT rule as a configured one; please be aware, as the generated NAT rule, is exactly how PAN-OS FW behave, please adjust this NAT rule and configure specific SRC IP addresses in another config change step.

offline config manipulation:

pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=input.xml out=output.xml location={{DeviceGroup/virtual-system}}


or usine PAN-OS XML API:

pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=api://{{MGMT-IP}} location={{DeviceGroup/virtual-system}}

 


This functionality to handle bi-dir-nat policy and split them , is available since March 22nd 2016, and was introduced by myself in the former tool called pan-configurator:
https://github.com/swaschkut/pan-configurator/commit/22472b0d5f84604474e882e111130eb71372e8c9

  • 11647 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!