NAT LOGGING

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT LOGGING

L1 Bithead

Hello,

 

  I am a newbie so please bear with me, I Have a very simple LAB with a Palo Alto firewall with 11.00 Ver and an internet connection.I know that to provide internet connection to the user i would need a Policy,default route and a source NAT.

 

Lets suppose I dont have a Source NAT for the internet connection, how would I know that I am missing a source NAT.

is there a command which shows that the packet is dropping due to source NAT not available?

 

Thanks

calabilla

1 accepted solution

Accepted Solutions

L6 Presenter

Hi @calabilla 

 

First of all, we all know to go over the internet, source private needs to be NAT with public IP to route traffic over the internet. This is our basic understanding for the network/firewall topology and how traffic flows over the internet.

 

Now if you miss NAT configuration, there is no direct indication to understand this but there are some in-direct ways to know it. Traffic logs will not show this traffic as dropped/denied as Security policy will allow it. Now as NAT policy is missing, firewall will just send traffic based on the matched route and forward packet to the next hop. For internet destination, it will match default route pointing to internet/ISP hop.

 

As we do not have NAT, with source private IP traffic will be routed to next hop. As private IP is not routable over the internet, there will be no response to that request and connection will be reset.

 

Now from Palo Alto, you can see some indications under traffic logs like,

1. Look for session end reason under traffic logs, it will show Resets/or aged out. In normal cases, you will see TCP-FIN when session is completed. 
2. If you open that specific traffic logs, you will se bytes sent but there will not be any bytes received as there will be no response to that request. In normal cases, when session is successful, there will be responses and bytes received counter will get updated with number of bytes received.
3. If you enable packet capture, you will not see any received response in that as well. 

 

So this way, you can understand what is happening with that ongoing session and check these pointers.

 

Hope it helps!

 

 

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

View solution in original post

3 REPLIES 3

L6 Presenter

Hi @calabilla 

 

First of all, we all know to go over the internet, source private needs to be NAT with public IP to route traffic over the internet. This is our basic understanding for the network/firewall topology and how traffic flows over the internet.

 

Now if you miss NAT configuration, there is no direct indication to understand this but there are some in-direct ways to know it. Traffic logs will not show this traffic as dropped/denied as Security policy will allow it. Now as NAT policy is missing, firewall will just send traffic based on the matched route and forward packet to the next hop. For internet destination, it will match default route pointing to internet/ISP hop.

 

As we do not have NAT, with source private IP traffic will be routed to next hop. As private IP is not routable over the internet, there will be no response to that request and connection will be reset.

 

Now from Palo Alto, you can see some indications under traffic logs like,

1. Look for session end reason under traffic logs, it will show Resets/or aged out. In normal cases, you will see TCP-FIN when session is completed. 
2. If you open that specific traffic logs, you will se bytes sent but there will not be any bytes received as there will be no response to that request. In normal cases, when session is successful, there will be responses and bytes received counter will get updated with number of bytes received.
3. If you enable packet capture, you will not see any received response in that as well. 

 

So this way, you can understand what is happening with that ongoing session and check these pointers.

 

Hope it helps!

 

 

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Thanks for the great information. i did went in the monitor section and provided source and destination address but there is no traffic is generated.

May be I am wrong here , can you please give me the exact steps .

L6 Presenter

Hi @calabilla  Make sure that your security policy which is allowing the traffic is enabled to Log at Session End at least.

For testing, you can also enable both options as shown in attached snap. So as soon as there is a request and it matches that security policy, firewall will log it and you should be able to see it under traffic logs.

 

SutareMayur_0-1729503772315.png

 

Hope it helps!

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
  • 1 accepted solution
  • 646 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!