- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-19-2024 10:30 AM
Hello,
I am a newbie so please bear with me, I Have a very simple LAB with a Palo Alto firewall with 11.00 Ver and an internet connection.I know that to provide internet connection to the user i would need a Policy,default route and a source NAT.
Lets suppose I dont have a Source NAT for the internet connection, how would I know that I am missing a source NAT.
is there a command which shows that the packet is dropping due to source NAT not available?
Thanks
calabilla
10-19-2024 09:24 PM - edited 10-19-2024 09:27 PM
Hi @calabilla
First of all, we all know to go over the internet, source private needs to be NAT with public IP to route traffic over the internet. This is our basic understanding for the network/firewall topology and how traffic flows over the internet.
Now if you miss NAT configuration, there is no direct indication to understand this but there are some in-direct ways to know it. Traffic logs will not show this traffic as dropped/denied as Security policy will allow it. Now as NAT policy is missing, firewall will just send traffic based on the matched route and forward packet to the next hop. For internet destination, it will match default route pointing to internet/ISP hop.
As we do not have NAT, with source private IP traffic will be routed to next hop. As private IP is not routable over the internet, there will be no response to that request and connection will be reset.
Now from Palo Alto, you can see some indications under traffic logs like,
1. Look for session end reason under traffic logs, it will show Resets/or aged out. In normal cases, you will see TCP-FIN when session is completed.
2. If you open that specific traffic logs, you will se bytes sent but there will not be any bytes received as there will be no response to that request. In normal cases, when session is successful, there will be responses and bytes received counter will get updated with number of bytes received.
3. If you enable packet capture, you will not see any received response in that as well.
So this way, you can understand what is happening with that ongoing session and check these pointers.
Hope it helps!
10-19-2024 09:24 PM - edited 10-19-2024 09:27 PM
Hi @calabilla
First of all, we all know to go over the internet, source private needs to be NAT with public IP to route traffic over the internet. This is our basic understanding for the network/firewall topology and how traffic flows over the internet.
Now if you miss NAT configuration, there is no direct indication to understand this but there are some in-direct ways to know it. Traffic logs will not show this traffic as dropped/denied as Security policy will allow it. Now as NAT policy is missing, firewall will just send traffic based on the matched route and forward packet to the next hop. For internet destination, it will match default route pointing to internet/ISP hop.
As we do not have NAT, with source private IP traffic will be routed to next hop. As private IP is not routable over the internet, there will be no response to that request and connection will be reset.
Now from Palo Alto, you can see some indications under traffic logs like,
1. Look for session end reason under traffic logs, it will show Resets/or aged out. In normal cases, you will see TCP-FIN when session is completed.
2. If you open that specific traffic logs, you will se bytes sent but there will not be any bytes received as there will be no response to that request. In normal cases, when session is successful, there will be responses and bytes received counter will get updated with number of bytes received.
3. If you enable packet capture, you will not see any received response in that as well.
So this way, you can understand what is happening with that ongoing session and check these pointers.
Hope it helps!
10-21-2024 01:39 AM
Thanks for the great information. i did went in the monitor section and provided source and destination address but there is no traffic is generated.
May be I am wrong here , can you please give me the exact steps .
10-21-2024 02:43 AM
Hi @calabilla Make sure that your security policy which is allowing the traffic is enabled to Log at Session End at least.
For testing, you can also enable both options as shown in attached snap. So as soon as there is a request and it matches that security policy, firewall will log it and you should be able to see it under traffic logs.
Hope it helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!