- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-08-2021 01:34 AM - edited 07-08-2021 01:37 AM
Hello everyone
The NAT type we are using is "Dynamic IP and Port", the Palo Alto Networks firewall translates the source IP address or range to a single IP address.
for this conversion, when the packets arriving the FW, we can see the source port is all the same
But while the packets leaving the FW, the source port was natted to multiple ports
This brings a problem that the destination will close the conversion once it detects the source port changed.
Is there any way to keep the source port is natted to a single port all the time?
Thanks
07-08-2021 11:53 AM
It's doing what you're asking it to. You would want this traffic hitting a NAT rulebase entry using "Dynamic IP" as the translation type instead of "Dynamic IP and Port". Due to this traffic likely hitting a global rule utilized across the environment, I would recommend creating a new rule and making it as specific as possible so that it's only matching the intended traffic.
07-08-2021 02:57 PM
Hi @DongQu
As @BPry wrote the firewall is doing what it is configured to. For every session it assigns a "random" source port for the NATed connection. The reason that the source port after NAT changes because the firewall sees these as new sessions. By default the UDP timeout is 30 seconds. So if there is no traffic more than 30 seconds the session is removed from the sessiontable and for the next packet a new session is created in the session table. In your situation it should work if you increase the session timeout for this UDP traffic because then as long as there is traffic the firewall will also keep the same source port after NAT is applied.
07-08-2021 06:40 PM
Hi @Remo
I've tried to increasing the session timeout, unfortunately it did not work.
As I only have 1 public IP for natting, is it possible to create a separate nat policy for a particular traffic?
Thanks
07-08-2021 11:49 PM
What application does your firewall see for this traffic in the logs?
Regarding the separate policy: With only one IP I would not recommend that. Mainly because you still need this IP for the general dynamic IP and port NAT rule. It might work, but I personally would not mix that.
07-09-2021 12:33 AM
hello @Remo
"unknown udp", so I defined an application and specified the "udp timeout", it worked.
but I am not sure why the "session timeout" does not work in the global setting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!