behavior in multi-vsys with shared gateway and DNAT policies

cancel
Showing results for 
Search instead for 
Did you mean: 

behavior in multi-vsys with shared gateway and DNAT policies

L3 Networker

Dear community,

 

We have a firewall with multi-vsys and the following scenario:

 1 shared gateway and 1 public IP on external zone
 1 virtual system and 1 private IP on internal zone

 

We configured DNAT to allow access to private IP from Internet following this article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHxCAK

 

Observations to this configuration:

- Our "inbound web" security policy worked allowing only the internal IP and not including the public one.

# Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?

 

- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone = untrust_SG and destination zone = trust_vsys.

# Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?

It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.

 

 

Thank you!

 

2 REPLIES 2

L7 Applicator

hi @Carracido 

 


- Our "inbound web" security policy worked allowing only the internal IP and not including the public one.

# Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?

 


A1: yes, the SG performs NAT so the internal VSYS no longer needs to do the dnat lookup/security match

 

 

- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone = untrust_SG and destination zone = trust_vsys.

# Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?

It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.

 


A2:  the shared gateway is not a fullblown vsys, it is 'shared' so some behavior is different from a regular vsys: it performs some rudimantary tasks, like NAT and routing, but packets are handed off to the actual sending/receiving vsys (because of tha lack of security policy)

 

 

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

Hi @reaper ,

 

Thank you for your answers. Do you know if there´s any KB link where that behavior is explained? 

 

Kind Regards!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!