Port forward does nt seem to work

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Port forward does nt seem to work

L2 Linker



imagine this scenario:


Internet PA  ---- ROUTER network


I am forwarding all packets received to https to https which then re-nat to host


With a stupid dlink 50$ router instead of the PA, everything works. I just forward https to and it works. with the Palo, no way.


In the Palo i have also have another network interface (say and i forward other ports to hosts in the and everything works, but if i forward to the which then re-nat to, it does not work. And i cannot see any errors on the PALO.


I have done these configuration multiple times (i mean just publishing servers etc...). Any suggestions?


How do i troubleshoot NAT? is there a way to see the NAT translations on the PALO? 




Cyber Elite
Cyber Elite



Did you make sure the [] router has it's default gateway set to and the 3.3.3.X host has default gw to the [] router

would you mind sharing more details about your config ?


you could try setting a source/destination nat so behind the PANW the ip's would be src: dst: (to ensure 3.3.3.x knows how to route back


did you make sure to set the zones in your NAT rule as 'untrust to untrust' ?

zone membership is determined by looking at the routing table, so the pre-nat packet will have a source IP from the untrust zone (default gateway out to the internet) and a destination ip in the untrust zone (ip attached to the untrust interface)




security policy will still be untrust to trust, destination address still being pre-nat though




you can verify NAT being applied to a session by looking up the session information :

> show session id 2275

Session            2275

        c2s flow:
                source: [v1-untrust]
                proto:       17
                sport:       53797           dport:      53
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source: [lab]
                proto:       17
                sport:       53              dport:      1472
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Fri Aug 19 14:21:21 2016
        timeout                              : 31 sec
        total byte count(c2s)                : 88
        total byte count(s2c)                : 143
        layer7 packet count(c2s)             : 1
        layer7 packet count(s2c)             : 1
        vsys                                 : vsys1
        application                          : dns  
        rule                                 : dns-inbound
        session to be logged at end          : True
        session in session ager              : False
        session updated by HA peer           : False
        address/port translation             : source
        nat-rule                             : nat-in(vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : any
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/1
        egress interface                     : ethernet1/2
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : Aged out
        end-reason                           : aged-out


Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization



thanks heaps for your answer.


Yes so router has default route to, host on the network have the right gateway. Please note that with a "dumb" router in which i simply create forward rules to everything works. Basically the dumb router is configured exaclty as the Palo, but there is obviously something the Palo is doing more that is preventing that to work.


I have other destination NAT rules that are working on the same PALO (i know you have to define untrust/untrust in the destination NAT). The difference is that the destiation NAT that are working are going to an network directly attached to the PALO. In example: PALO ---- host


the desintation NAT to WORKS in the PALO


what it does not work is the one originally posted so PALO --- DUMBROUTER ---- Forwarding to which in turns forwards to does not work. With a dumb router instead of the PALO which forwards packets received to to which in turns forward to it works.


I am suspecting the PALO is not forwarding the same way the dumbrouter does and the patckets that the DUMBROUTER receives are different from what a "normal" router does.


Unfortunately i cannot share the config. If you have any other ideas, i can put in my queue but i have very limited time for testing as when we switch to the PALO we have very limited time to make things working before reverting back


but thanks



  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!