- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-25-2017 05:43 AM
Hi,
I'm migrating my security policy from a netscreen firewall to a Palo Alto firewall. I used the migration tool and I'm currently reviewing the NAT rules, and I'm getting a bit confused about security zones after NAT.
- I have 3 interfaces : Trust, Unstrust, DMZ.
- I have a public IP range, that has nothing to do with the Untrust interface. My Untrust interface is 1.1.1.1, and my public IP range is 2.2.2.0/24.
- 2.2.2.0/24 is routed to Trust interface.
- Now I have a server in DMZ, with IP 192.168.1.9 with the gateway 192.168.1.1 (DMZ interface)
- So I have a NAT from DMZ (adress 192.168.1.9) to Untrust (any) that translates the source IP into 2.2.2.9.
==> The question is to know the source zone for my security policy?
is it DMZ or is it Trust ? Is the reverse route evaluated after source NAT ?
solution 1: from DMZ to Untrust
In the "understanding and configuring NAT" tech note from Palo Alto, the life of a packet diagram says to re-evaluate the route lookup after the NAT in case of translation on a destination address, so the destination zone is re-evaluated for the security policy. But in case of source address translation, it says to go directly to security policy.
solution 2: from Trust to Untrust
On the other hand, this link says the following :
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/nat.html
"Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones"
See, zones is plural here, so are both routes for source and destination re-evaluated ?
Does anyone have an example like mine in production environment?
07-25-2017 07:24 AM
Palo first checks if traffic flows on permitted ip/port.
Then identifies application.
Then does threat.
And if traffic passes all checks then IP is changed in the packet.
Every interface belongs to zone.
If traffic enters firewall it comes from zone and SOURCE ZONE NEVER CHANGES.
Now if it is SNAT (traffic that comes from DMZ to Untrust) then in NAT policy source zone is DMZ and destination zone is Untrust. Same in security policy.
Different story is with DNAT if traffic comes from Untrust and goes to DMZ.
Traffic comes from Untrust zone because it enters firewall from interface that is in Untrust zone.
Now as traffic is destined to your public IP that according to routing table is in Untrust zone your NAT zones are:
Untrust > Untrust and from any source IP to your wan IP.
NAT is evaluated and destination zone is changed in packet metadata BUT NOT DESTINATION IP.
Security policy is checked when IP is still destined to original public IP so zone config matches correct destination zone:
Untrust > DMZ but IP is still wan IP.
🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!