How to configure PAN to allow for SFTP traffic over public ip

Showing results for 
Search instead for 
Did you mean: 

How to configure PAN to allow for SFTP traffic over public ip

Hi ,


How to configure PAN to allow for the SFTP traffic over public ip.





Cyber Elite
Cyber Elite

From internal to the internet or from the internet to a host in your internal network?

In both cases you need a NAT rule and a security policy rule that allows ssh.

Thanks for your reply , I am new to this process.


Working on a task to migrate existing DMZ traffic from ASA to Palo alto.

I was told to Configure the PAN to allow for the SFTP traffic over an public IP, no idea about it.
that means redirecting the traffic to public ip ? please give me details configure note.
Thanks in advance 

What exactly do you try to configure? Allow sftp from internal/dmz to the internet or from the internet to an internal or dmz server? If from internet, does your server have a punlic or private IP?

In order to let the community help you need to give us some more informations about the situation.



Configuration to allow aftp from dmz to internet .




Hi @KarthikMuthukrishnan 


Does your DMZ server have a private IP? If yes then you need a security policy rule that allows ssh from your DMZ server zone and IP to the internet. In addition you need a NAT rule with the source your dmz server zone/ip as source and the internet zone as destination. In the translated address tab configure dynamic ip and port and interface IP. There you chose your internet facing interface and the corresponding IP. 



I did create a NAT policy where both source and destination are untrust zones, source - any, destination is public ip and destination address translation is private IP ( sftp Ip ) . hope I am right.


policy :

source : untrust , ip address : any 

destination : trust , ip address :not sure which IP i sho uld give  sftp private IP or public ip .

application : any , service : sftp  , action allow







Check out this article, it may help out:





Thanks for the link... I read few documents 


Looks like this will exactly serve my purpose.


I am adding new external ip (public ip)  and point it to the existing sftp ip (private ip ) . Correct me if I am wrong.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!