Port Forwarding

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Port Forwarding

Not applicable

I am trying to create a webpage to display the video stream of two of our IP Cameras.

The page works perfectly from inside the network but not from outside the network.

I think I need to set up some kind of port forwarding rule on my Palo Alto and then program that into the web page, but am not sure how to accomplish this on the Palo Alto.




L6 Presenter

Sorry but I am still not sure what I am supposed to do here.

L7 Applicator

You'll want to create a Destination NAT rule using the doc that was linked. If you're trying to do port forwarding, you would just need to specify what port (service) it is coming in on, and what port you want it to go to internally.

For example, if you want to translate port 80 hitting your public IP of to port 8080 on your internal server address of

Original Packet Tab

Source Zone: Untrust

Destination Zone: Untrust

Destination Interface: Any (or the public interface)

Service: Define a new service or use the pre-configured "service-http"

Source Address: Any (or a list of IPs you want to connect from)

Destination Address:

Translated Packet Tab:

Source Address Translation:


Destination Address Translation:

Translated Address:

Translated Port: 8080

You'll also need an associated security rule to allow the traffic from the Untrust zone to the Trust zone, destination IP is

Hope this helps,


L4 Transporter

Check NAT and PAT rule.

may be helpful for you.

Dynamic NAT translation using IP and port
To enable one single routed interface IP address to be reused for translation several time, the layer4 information is attached to the source address.

This can be easily done in web interface, in CLI however it is quite hard to find the hierarchy. NAT is under the rulebase hierarchy.

How to configure dynamic port NAT

admin@PA-5050> configure

Entering configuration mode


admin@PA-5050# edit rulebase nat

[edit rulebase nat]

admin@PA-5050# set rules trust-to-untrust description "Dynamic PAT"

[edit rulebase nat]

admin@PA-5050# admin@PA-5050# set rules trust-to-untrust from trust to untrust destination any service any source any source-translation dynamic-ip-and-port interface-address interface ethernet1/1 ip

[edit rulebase nat]

admin@PA-5050# commit


Configuration committed successfully

Interface ethernet1/1 has no virtual-router configuration.

Interface ethernet1/2 has no virtual-router configuration.

[edit rulebase nat]


Setup virtual-router to route packets
Create static default route by first creating virtual router, treat virtual-router like a router process, you need to include interfaces that is available for virtual-router. the virtual-router is located under
network hierarchy.

[edit rulebase nat]

admin@PA-5050# top


admin@PA-5050# set network virtual-router static-route interface ethernet1/1


admin@PA-5050# set network virtual-router static-route interface ethernet1/2

Take note that static-route is a name I defined for virtual-router, there is a default profile which you can use if you want.

Define the default routes with the static-route profile.

admin@PA-5050# set network virtual-router static-route routing-table ip static-route static-default-route interface ethernet1/1 nexthop ip-address

admin@PA-5050# commit


Configuration committed successfully



Take note that static-default-route is the routing-table profile I have created, you can create any name you want

Thanks gwesson - This is exactly what I was looking for while migrating config from Juniper to PAN firewall Smiley Happy :smileycheck:. Can I use security policy based on app-id e.g. web-browsing for http or do I need to use service since service has been used in NAT policy configuration?

You can use either or both. If you use application, it's more broad and covers more than just a port. You can use a service- (port-) based policy if you want to make it work more like a basic firewall. In general I use applications since it gives much more coverage. You can even use both (or the "application-default" service) if you want to lock it down even further.

There are no restrictions though, the NAT and Security policies are independent.


  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!