The source port was natted to multiple source ports while the packets leaving the FW

cancel
Showing results for 
Search instead for 
Did you mean: 

The source port was natted to multiple source ports while the packets leaving the FW

L2 Linker

Hello everyone

 

The NAT type we are using is "Dynamic IP and Port", the Palo Alto Networks firewall translates the source IP address or range to a single IP address.

 

for this conversion, when the packets arriving the FW, we can see the source port is all the same

DongQu_1-1625733192489.png

 

But while the packets leaving the FW, the source port was natted to multiple ports

DongQu_0-1625733419236.png

 

This brings a problem that the destination will close the conversion once it detects the source port changed.

Is there any way to keep the source port is natted to a single port all the time?

 

Thanks

 

5 REPLIES 5

Cyber Elite
Cyber Elite

@DongQu,

It's doing what you're asking it to. You would want this traffic hitting a NAT rulebase entry using "Dynamic IP" as the translation type instead of "Dynamic IP and Port". Due to this traffic likely hitting a global rule utilized across the environment, I would recommend creating a new rule and making it as specific as possible so that it's only matching the intended traffic. 

Cyber Elite
Cyber Elite

Hi @DongQu 

As @BPry wrote the firewall is doing what it is configured to. For every session it assigns a "random" source port for the NATed connection. The reason that the source port after NAT changes because the firewall sees these as new sessions. By default the UDP timeout is 30 seconds. So if there is no traffic more than 30 seconds the session is removed from the sessiontable and for the next packet a new session is created in the session table. In your situation it should work if you increase the session timeout for this UDP traffic because then as long as there is traffic the firewall will also keep the same source port after NAT is applied.

Hi @vsys_remo 

I've tried to increasing the session timeout, unfortunately it did not work.

DongQu_0-1625794639766.png

DongQu_1-1625794737361.png

As I only have 1 public IP for natting, is it possible to create a separate nat policy for a particular traffic?

Thanks

 

 

@DongQu 

What application does your firewall see for this traffic in the logs?

 

Regarding the separate policy: With only one IP I would not recommend that. Mainly because you still need this IP for the general dynamic IP and port NAT rule. It might work, but I personally would not mix that.

hello @vsys_remo 

"unknown udp", so I defined an application and specified the "udp timeout", it worked.

but I am not sure why the "session timeout" does not work in the global setting.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!