PAN-OS Bi-Directional NAT and Nintendo Online Gaming

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN-OS Bi-Directional NAT and Nintendo Online Gaming

L1 Bithead

I have a couple of Nintendo consoles on the network which would like to connect for online gaming.


I am on a cable connection so am using Dyndns lookup for my external-IP.


I have the following Bi-Directional NAT policies configured.  


Application Group



Security Policy



NAT Policy



It seems to work with the Wii U but not with the 3DS.


Any assistance will be much appreciated.  


As a last resort I could dig out my old Draytek router for these hosts but would prefer not too...




Kind regards


L3 Networker

> If you can take a packet capture and also see the traffic logs so see what's really happening with the traffic

> And then you can make the required changes in the NAT/Security Policies

> Instead of creating bi-directional try creating separate NAT policy for out going traffic and the incomming traffic

L3 Networker


>>>please specify which zone the internal-wiiU belongs


You can see the same by the command 


test routing fib-lookup virtual-router default ip <ip address>


Please see the zone of  the ip address by the above command and make Nat rule accordingly 


Thank You 




Cyber Elite
Cyber Elite

Hi There



to make sure a bidirectional NAT policy works as expected, the proper formatting would need to be trust to untrust



bidirectional nat



hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization



Thanks to all responding.


I tried the following but no luck... 




If I click on 'Highlight Unused Rules', the Bi-Directional NAT rules are highlighted so the traffic is not even hitting those NAT rules.

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!