Port Forwarding Problem

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Port Forwarding Problem

L1 Bithead

This should be fairly simple but am at wits end.  


I need to forward 2 ports from an external IP to an internal private ip (Ports 8088 and 22).  I found this article and am following its example:  https://nubisnovem.com/pinning-a-hole-in-palo-alto/



Public/Outside IP of PA-220 :

Internal IP:

IP I am trying to browse/connect from:



I created two Services 

Name: 8088

Protocol: TCP

Destination Port: 8088

Source Port: 1-65535


Name: SSH

Protocol: TCP

Desitnation Port: 22

Source Port: 1-65535


I created two NAT statements

Name: 8088

Source Zone: Outside

Destination Zone: Outside

Destination Interface: Any

Source Address: Any

Destination Address:

Service: 8088 

Source Translation: None

Destination Translation:


Name: 22

Source Zone: Outside

Destination Zone: Outside

Destination Interface: Any

Source Address: Any

Destination Address:

Service: 22

Source Translation: None

Destination Translation:


I also created 1 security policy

Name: PortForward

Source Zone: Outside

Source Address: Any

Destination Zone: Inside

Destination Address:

Application: Any

Service: 8088 and 22

Action: Allow


When I browse through a webpage to a web browser.  PA Monitor shows incomplete under application




Log Detail:






Like I said I am basing everything on the article above so there may be a better way to do it.  

Any advice is appreciated. 


L7 Applicator

Most likely, doesn't have a route back to, or else it's using a different egress point.


A couple things you can do:

1. Make sure that has a route to and that it goes through the Palo Alto Networks firewall.

2. Use source NAT in addition, specifying the internal IP of the firewall. 


Your traffic log detail shows it just barely, 0 bytes and packets received with 62 bytes sent, probably the TCP SYN packet.


Best regards,

Greg Wesson


Appreciate your response.  


1. I have an additional NAT from my internal zone to external its basically my NAT for internet access from my inside zone. 

Name:  Inside - Internet Access

Source Zone: Inside

Destination Zone: Outside 

Source Address:

Source Translation: dynamic ip and port   -


That should suffice from getting back to shouldn't it?


2. Do I need the source NAT if I already have the above NAT?  

Again, thank you.

There is only one NAT rule that is applied for each session, so the separate Source NAT rule you provided won't get applied when the other one is.


Assuming L3 setup:

Run a traceroute from the internal server to the external client IP. Make sure that the MAC address of the firewall your server hits is the same one that is sourcing the traffic inbound from that external client. If not, you've got a routing issue. 


If you're familiar with packet captures, you can take one on the firewall (grab transmit and receive stages) at the same time as one running on the internal server. You should be able to confirm if the SYN is making it to the server, if the server is responding with the expected SYN+ACK, and if that's making it back to the firewall.




The following might help you a little bit more than what you found in the above article. I would look at live prior to following a random article; usually you'll find we include more information and pictures 😉

The entire article this was pulled from can be found HERE


Destination NAT with Port Translation Example
In this example, the web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address and TCP Port 80. The destination NAT rule is configured to translate both IP address and port to and TCP port 8080.
The following NAT and security rules must be configured on the firewall:
Use the show session all CLI command to verify the translation.

Ok.  So I am still not having any luck.  For troubleshooting purposes. I installed IIS on an inside PC on the same network and set up an additional NAT for http-web browsing that works fine but still can not get port 8088 to work at all. Below Rule 1 works fine Rule 2 does not.








At this point for testing purposes I just have a permit any security policy 



What is interesting is in the monitor log the application shows as application web-browsing for when I go to port 80 and it works but it still shows as incomplete when trying 8088







So to sum up.  I have a wide open security policy, 2 identical NAT statements in which the service set up is exactly the same, one for port 80 and one for port 8088.  Port 80 works fine going to but port 8088 going to does not.  If I get on an internal PC and browse to it works just fine so I am pretty certain there isn't an internal PC firewall blocking anything.


browsing to publiciip:80 works like it should but publicip:8088 does not.  


Not sure how else to troubleshoot.

Thanks again for any suggestions. 


If you PCAP the traffic what exactly do you see. Your NAT appears to be working otherwise you wouldn't get the log, so you either don't have a return path properly setup for the traffic or the is not setup properly so you never get a response. 

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!