Does Palo Alto do NAT before doing Policy Based Forwarding

Reply
Highlighted
L2 Linker

Does Palo Alto do NAT before doing Policy Based Forwarding

Hello Folks,

I'm trying to set up my Palo Alto to do Policy Based Forwarding. 

 

Does PA do NAT before Policy Based Forwarding???

 

I've created Policy based forwarding to send traffic to an interface, if it is sourced from an address. 10.0.0.0/24 

BUT it's seems to be failing ... sometimes. I've noticed that it fails when the source traffic is NATTED first. 

So there is a NAT that changes the source address from 10.0.0.0/24 to 20.0.0.0/24

The PA doesn't do the Policy Based Forwarding, because it doesn't see the traffic come from 10.0.0.0/24 as it is natted. 

 

Does that mean that the NAT is done before the Policy Based Forwarding? I guess it is?

If I only want traffic to be policy forwarded if sourced from 10.1.0.0/16. So would my work around be to create a NAT policy, and if it matches 10.1.0.0/16 then do not NAT?  That way it will then keep the source address and be policy forwarded instead?

 

Any thoughts would be appreciated?

 

 


Accepted Solutions
Highlighted
L2 Linker

Hello Folks, 

 

We found out why the PBF was not working.... I think it is a bug, we had to take out the next hop IP address from the PBF statement. We left the interface for the next hop only. This allowed the PBF to work. I don't know why using an IP address for the next hop doesn't work. I suspect it is because we have a pair of active-active firewalls. 

 

We also we tried all the different binding options in the PBF statement on both firewalls. 

View solution in original post


All Replies
Highlighted
L7 Applicator

NAT is performed after PBF, as it can only be applied after the egress interface is determined (so after pbf and route lookus)

 

how did you configure your PBF rule? did you add an application as a match condition? (as that will have an impact on how pbf is able to intercept and redirect sessions : it doesn't know what an application is by the SYN packet so it first needs to determine that)

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Highlighted
L2 Linker

Thanks for replying Reaper L7 Applicator ... nice name. 

 

The application is any.

The service is any, 

I'm wondering if I should set them to application-default. 

 

I've noticed that where it's not working, (not getting Policy based forwarding), it is getting NATTED first. 

L7 Applicator

Thanks Jedi_DL L2 Linker

(The L7 thing is my community rank, not my name )

 

That would mean pbf is not hit and then nat is applied on the default route egress,

 

unless the session goes through the firewall twice and is picking up NAT in a different session?

Did you set a next hop IP so the session can get routed out or is the destination located on the interface subnet?

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Highlighted
L2 Linker

hi

 

For the next hop on the policy based forwarding (PBF) , I gave both the interface it should leave, and the next hop IP address on that subnet. 

 

I still cant understand why for some traffic it is not hitting the PBF 

 

I can see that for one host in the PBF source range, it is getting corrected policy based forwarded. 

Both for another host also in the PBR range, it is being natted first, and therefore not policy based forwarded. 

 

Highlighted
L2 Linker

Hello Folks, 

 

We found out why the PBF was not working.... I think it is a bug, we had to take out the next hop IP address from the PBF statement. We left the interface for the next hop only. This allowed the PBF to work. I don't know why using an IP address for the next hop doesn't work. I suspect it is because we have a pair of active-active firewalls. 

 

We also we tried all the different binding options in the PBF statement on both firewalls. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!