01-13-2021 12:17 PM
Dear community,
We have a firewall with multi-vsys and the following scenario:
1 shared gateway and 1 public IP on external zone
1 virtual system and 1 private IP on internal zone
We configured DNAT to allow access to private IP from Internet following this article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHxCAK
Observations to this configuration:
- Our "inbound web" security policy worked allowing only the internal IP and not including the public one.
# Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?
- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone = untrust_SG and destination zone = trust_vsys.
# Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?
It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.
Thank you!
01-14-2021 02:22 AM
hi @Carracido
- Our "inbound web" security policy worked allowing only the internal IP and not including the public one.
# Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?
A1: yes, the SG performs NAT so the internal VSYS no longer needs to do the dnat lookup/security match
- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone = untrust_SG and destination zone = trust_vsys.
# Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?
It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.
A2: the shared gateway is not a fullblown vsys, it is 'shared' so some behavior is different from a regular vsys: it performs some rudimantary tasks, like NAT and routing, but packets are handed off to the actual sending/receiving vsys (because of tha lack of security policy)
01-21-2021 11:58 AM
Hi @reaper ,
Thank you for your answers. Do you know if there´s any KB link where that behavior is explained?
Kind Regards!
06-28-2021 06:21 AM
I have a strange behavior in the similar scenario.
We configured a destination nat with original port 10443 and traslated to port 443 on shared gateway.
In order to allow traffic to internal web server we opened port 10443 instead of 443 on security policy of internal virtual system.
Why I see traffic on port 443 of internal virtual system when the NAT is configured on shared gateway?
Best Regards
Marco
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
