behavior in multi-vsys with shared gateway and DNAT policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

behavior in multi-vsys with shared gateway and DNAT policies

L3 Networker

Dear community,

 

We have a firewall with multi-vsys and the following scenario:

 1 shared gateway and 1 public IP on external zone
 1 virtual system and 1 private IP on internal zone

 

We configured DNAT to allow access to private IP from Internet following this article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHxCAK

 

Observations to this configuration:

- Our "inbound web" security policy worked allowing only the internal IP and not including the public one.

# Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?

 

- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone = untrust_SG and destination zone = trust_vsys.

# Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?

It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.

 

 

Thank you!

 

3 REPLIES 3

Cyber Elite
Cyber Elite

hi @Carracido 

 


- Our "inbound web" security policy worked allowing only the internal IP and not including the public one.

# Question_1: is this because the vsys receives the traffic after DNAT from SG and only private IP is visible here?

 


A1: yes, the SG performs NAT so the internal VSYS no longer needs to do the dnat lookup/security match

 

 

- on the traffic log the destination IP shows the pre-NAT IP which is the public one with source zone = untrust_SG and destination zone = trust_vsys.

# Question_2: How it is possible that the traffic log is showing as source zone the untrust-SG if no security policy is used on the shared gateway?

It seems that this log shows transparently the trace from external zone of Shared gateway to the internal zone of vsys.

 


A2:  the shared gateway is not a fullblown vsys, it is 'shared' so some behavior is different from a regular vsys: it performs some rudimantary tasks, like NAT and routing, but packets are handed off to the actual sending/receiving vsys (because of tha lack of security policy)

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi @reaper ,

 

Thank you for your answers. Do you know if there´s any KB link where that behavior is explained? 

 

Kind Regards!

I have a strange behavior in the similar scenario.

We configured a destination nat with original port 10443 and traslated to port 443 on shared gateway.

In order to allow traffic to internal web server we opened port 10443 instead of 443 on security policy of internal virtual system.

Why I see traffic on port 443 of internal virtual system when the NAT is configured on shared gateway?

Best Regards

Marco

 

 

  • 2540 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!