07-31-2024 08:13 AM - edited 07-31-2024 08:19 AM
Hello,
I Saw this on a website
"Security policies differ from NAT rules in that security policies examine post-NAT zones to determine whether the packet is authorized or not."
I don't understand why because it's the packet without NAT ( no NAT) that reaches the firewall and the firewall compare it to the security policy to determine whether the packet IS authorized.
So normally security policy should examine pré-nat zones and not post-NAT zones isn't it?
Thank you
07-31-2024 03:08 PM
Hi @Sarou22 ,
If you have an inbound destination NAT rule, here is a great article with example NAT and security policy rules on the bottom.
Thanks!
Tom
07-31-2024 09:06 AM
Hi @Sarou22 ,
You are correct that the incoming packet is destined for a pre-NAT zone.
To understand why you put the post-NAT zone in the security policy rule, we need to review the session setup process on the NGFW. I got this diagram from the PCNSE Study Guide.
The NGFW looks at NAT rules to determine the destination zone before checking the security policy. It is called a NAT lookup because NAT is not actually applied to the traffic yet. The NAT rule changes the IP address in the packet on egress. I like the behavior because the security policy shows the ultimate destination zone for the traffic. The rule of thumb to apply "pre-NAT IP and post-NAT everything else" to security policy rules works well for these scenarios.
Thanks,
Tom
07-31-2024 02:52 PM
Hello,
Sorry it IS not clear to me.
My exemple IS the following:
Source zone : outside
Destination zone : inside
Source adress:8.8.8.8
Destination adress: 212.21.20.4
Nat rules: 212.21.20.4 translated to 10.118.20.3
So when the server 8.8.8.8 ping the user 212.21.20.4 thé firewall will translate 212.21.20.4 to
The firewall will examine post nat zone, zone inside?
07-31-2024 03:08 PM
Hi @Sarou22 ,
If you have an inbound destination NAT rule, here is a great article with example NAT and security policy rules on the bottom.
Thanks!
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
