PBF with NAT, how does it works?

Showing results for 
Search instead for 
Did you mean: 

PBF with NAT, how does it works?

Not applicable

Hi Guys

According to document , if there's destination NAT , there'll be second routing lookup to decide outbound zone & interface. But I'm very confused when there's routing and PBF together, In the second routing lookup, how does PBF rule work? Does PBF work based on Pre-NAT destination address or Post-NAT destination address? According to document at the second lookup process works based on POST-NAT destination address, that means if the routing table works fine, it should follow routing table lookup result. But in my customers networks it doesn't look like that.. Using PBF and U-Turn NAT together is really kind of a mess.

Thank you very much.


L6 Presenter

Would any of these docs be of any help?

Understanding PAN-OS NAT


Packet Flow in PAN-OS


L7 Applicator


PBF lookup happens in pre-NAT IP address. Also in PAN firewall NAT evaluate at first with original IP but Apply at the end of flow.

Packet flow on PAN firewall:-


Few more information regarding the same.


Testing Security, NAT and PBF Rules via the CLI

Inbound NAT Policy with Outbound PBF Causing IP-Spoofing Drops

NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

Packet Flow in PAN-OS

Hope this helps.


Not applicable

Thanks a lot . I'll read these document. Hava a nice day!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!