Nat

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Nat

L2 Linker

Hello,

I Saw this on a website

 

"Security policies differ from NAT rules in that security policies examine post-NAT zones to determine whether the packet is authorized or not."

 

I don't understand why because  it's the packet without NAT ( no NAT) that reaches the firewall and  the firewall compare it to the security policy to determine whether the packet IS authorized.

 

So normally security policy should examine pré-nat zones and not post-NAT zones isn't it?

 

Thank you

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Sarou22 ,

 

If you have an inbound destination NAT rule, here is a great article with example NAT and security policy rules on the bottom.

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples...

 

Thanks!

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @Sarou22 ,

 

You are correct that the incoming packet is destined for a pre-NAT zone.

 

To understand why you put the post-NAT zone in the security policy rule, we need to review the session setup process on the NGFW.  I got this diagram from the PCNSE Study Guide.

 

TomYoung_0-1722441264461.png

 

The NGFW looks at NAT rules to determine the destination zone before checking the security policy.  It is called a NAT lookup because NAT is not actually applied to the traffic yet.  The NAT rule changes the IP address in the packet on egress.  I like the behavior because the security policy shows the ultimate destination zone for the traffic.  The rule of thumb to apply "pre-NAT IP and post-NAT everything else" to security policy rules works well for these scenarios.

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

Hello,

 

Sorry it IS not clear to me. 

 

My exemple IS the following:

Source zone : outside 

Destination zone : inside

Source adress:8.8.8.8

Destination adress: 212.21.20.4

Nat rules:  212.21.20.4 translated to 10.118.20.3

 

So when the server 8.8.8.8 ping the user 212.21.20.4 thé firewall will translate 212.21.20.4 to

The firewall will examine post nat zone, zone inside?

 

 

Cyber Elite
Cyber Elite

Hi @Sarou22 ,

 

If you have an inbound destination NAT rule, here is a great article with example NAT and security policy rules on the bottom.

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples...

 

Thanks!

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 832 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!