Does Palo Alto do NAT before doing Policy Based Forwarding

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Does Palo Alto do NAT before doing Policy Based Forwarding

L2 Linker

Hello Folks,

I'm trying to set up my Palo Alto to do Policy Based Forwarding. 

 

Does PA do NAT before Policy Based Forwarding???

 

I've created Policy based forwarding to send traffic to an interface, if it is sourced from an address. 10.0.0.0/24 

BUT it's seems to be failing ... sometimes. I've noticed that it fails when the source traffic is NATTED first. 

So there is a NAT that changes the source address from 10.0.0.0/24 to 20.0.0.0/24

The PA doesn't do the Policy Based Forwarding, because it doesn't see the traffic come from 10.0.0.0/24 as it is natted. 

 

Does that mean that the NAT is done before the Policy Based Forwarding? I guess it is?

If I only want traffic to be policy forwarded if sourced from 10.1.0.0/16. So would my work around be to create a NAT policy, and if it matches 10.1.0.0/16 then do not NAT?  That way it will then keep the source address and be policy forwarded instead?

 

Any thoughts would be appreciated?

 

 

1 accepted solution

Accepted Solutions

Hello Folks, 

 

We found out why the PBF was not working.... I think it is a bug, we had to take out the next hop IP address from the PBF statement. We left the interface for the next hop only. This allowed the PBF to work. I don't know why using an IP address for the next hop doesn't work. I suspect it is because we have a pair of active-active firewalls. 

 

We also we tried all the different binding options in the PBF statement on both firewalls. 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

NAT is performed after PBF, as it can only be applied after the egress interface is determined (so after pbf and route lookus)

 

how did you configure your PBF rule? did you add an application as a match condition? (as that will have an impact on how pbf is able to intercept and redirect sessions : it doesn't know what an application is by the SYN packet so it first needs to determine that)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for replying Reaper L7 Applicator ... nice name. 

 

The application is any.

The service is any, 

I'm wondering if I should set them to application-default. 

 

I've noticed that where it's not working, (not getting Policy based forwarding), it is getting NATTED first. 

Cyber Elite
Cyber Elite

Thanks Jedi_DL L2 Linker 😉

(The L7 thing is my community rank, not my name 🙂 )

 

That would mean pbf is not hit and then nat is applied on the default route egress,

 

unless the session goes through the firewall twice and is picking up NAT in a different session?

Did you set a next hop IP so the session can get routed out or is the destination located on the interface subnet?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

hi

 

For the next hop on the policy based forwarding (PBF) , I gave both the interface it should leave, and the next hop IP address on that subnet. 

 

I still cant understand why for some traffic it is not hitting the PBF 

 

I can see that for one host in the PBF source range, it is getting corrected policy based forwarded. 

Both for another host also in the PBR range, it is being natted first, and therefore not policy based forwarded. 

 

Hello Folks, 

 

We found out why the PBF was not working.... I think it is a bug, we had to take out the next hop IP address from the PBF statement. We left the interface for the next hop only. This allowed the PBF to work. I don't know why using an IP address for the next hop doesn't work. I suspect it is because we have a pair of active-active firewalls. 

 

We also we tried all the different binding options in the PBF statement on both firewalls. 

  • 1 accepted solution
  • 11041 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!